?? ,

and Moti Yung2

Universit´e catholique de Louvain, ICTEAM Institute (Belgium) 2 Google Inc. and Columbia University (USA)

Abstract. Group signatures are a central cryptographic primitive, simultaneously supporting accountability and anonymity. They allow users to anonymously sign messages on behalf of a group they are members of. The recent years saw the appearance of several constructions with security proofs in the standard model (i.e., without appealing to the random oracle heuristic). For a digital signature scheme to be adopted, an efficient revocation scheme (as in regular PKI) is absolutely necessary. Despite over a decade of extensive research, membership revocation remains a non-trivial problem in group signatures: all existing solutions are not truly scalable due to either high overhead (e.g., large group public key size), or limiting operational requirement (the need for all users to follow the system’s entire history). In the standard model, the situation is even worse as many existing solutions are not readily adaptable. To fill this gap and tackle this challenge, we describe a new revocation approach based, perhaps somewhat unexpectedly, on the Naor-Naor-Lotspiech framework which was introduced for a different problem (namely, that of broadcast encryption). Our mechanism yields efficient and scalable revocable group signatures in the standard model. In particular, the size of signatures and the verification cost are independent of the number of revocations and the maximal cardinality N of the group while other complexities are at most polylogarithmic in N . Moreover, the schemes are history-independent: unrevoked group members do not have to update their keys when a revocation occurs. Keywords. Group signatures, revocation, standard model, efficiency.

1

Introduction

As suggested by Chaum and van Heyst in 1991 [32], group signatures allow members of a group to anonymously sign messages on behalf of a population group members managed by a group authority. Using some trapdoor information, a tracing authority must be able to “open” signatures and identify the signer. A complex problem in group signatures is the revocation of members whose signing capability should be disabled (either because they misbehaved or they intentionally leave the group). 1.1

Related Work

Group signatures without revocation. The first provably coalition-resistant scalable group signature was described by Ateniese, Camenisch, Joye and Tsudik in 2000 [7]. At that time, the security of group signatures was not totally understood and proper security definitions were given later on by Bellare, Micciancio and Warinschi [9] (BMW) whose model captures all the requirements of group signatures in three properties. In (a relaxation of) this model, Boneh, Boyen and Shacham [16] obtained a construction in the random oracle model [10] with signatures shorter than 200 bytes [13]. In the BMW model, the population of users is frozen after the setup phase beyond which no new member can be added. Dynamic group signatures were independently formalized by Kiayias and Yung [45] and Bellare-Shi-Zhang [11]. In these models, pairing-based schemes with relatively short signatures were put forth in [54, 33]. Ateniese et al. [6] also gave a construction without random oracles using interactive assumptions. In the BMW model [9], Boyen and Waters independently came up with a different standard model proposal [19] using more classical assumptions and they subsequently refined their scheme [21] to ?

??

This author was supported by the Belgian Fund for Scientific Research (F.R.S.-F.N.R.S.) via a “Charg´e de recherches” fellowship. Supported by the IUAP B-Crypt Project and the Walloon Region Camus Project.

obtain constant-size signatures. In the dynamic model [11], Groth [38] described a system with constantsize signatures without random oracles but this scheme was rather a feasibility result than an efficient construction. Later on, Groth gave [39] a fairly efficient realization – with signatures consisting of about 50 group elements – in the standard model with the strongest anonymity level. Revocation. In group signatures, membership revocation has received much attention in the last decade [22, 8, 29, 18] since revocation is central to digital signature schemes. One simple solution is to generate a new group public key and deliver a new signing key to each unrevoked member. However, in large groups, it may be inconvenient to change the public key and send a new secret to signers after they joined the group. An alternative approach taken by Bresson and Stern [22] is to have the signer prove that his membership certificate does not appear in a public list or revoked certificates. Unfortunately, the signer’s workload and the size of signatures grow with the number of expelled users. Song [55] presented an approach handling revocation in forward-secure group signatures. However, verification takes linear time in the number of excluded users. Using accumulators1 [12], Camenisch and Lysyanskaya [29] proposed a method (notably followed by [60, 27]) to revoke users in the ACJT group signature [7] while keeping O(1) costs for signing and verifying. While elegant, this approach is history-dependent and requires users to keep track of all changes in the population of the group: at each modification of the accumulator value, unrevoked users need to update their membership certificates before signing new messages, which may require O(r) exponentiations – if r is the number of revoked users – in the worst case. Brickell [23] suggested the notion of verifier-local revocation group signatures, which was formalized by Boneh and Shacham [18] and further studied in [50, 61, 48]. In their systems, revocation messages are only sent to verifiers (making the signing algorithm independent of the number of revocations). The group manager maintains a revocation list (RL) which is used by verifiers to make sure that signatures were not generated by a revoked member. The RL contains a token for each revoked user and the verification algorithm has to verify signatures w.r.t. each token (a similar revocation mechanism is used in [24]). As a result, the verification cost is inevitably linear in the number of expelled users. More recently, Nakanishi, Fuji, Hira and Funabiki [49] described a construction with constant complexities for signing/verifying and where group members never have to update their credentials. On the other hand, their proposal has the disadvantage of linear-size group public keys (in the maximal number N of users), although a tweak allows reducing the size to O(N 1/2 ). In the context of anonymous credentials, Tsang et al. [58, 59] showed how to blacklist users without compromising their anonymity or involving a trusted third party. Their protocols either have linear proving complexity in the number of revocations or rely on accumulators (which may be problematic for our purposes). Camenisch, Kohlweiss and Soriente [28] suggested to handle revocations by periodically updating users credentials in which a specific attribute indicates a validity period. While useful in certain applications of anonymous credentials, in group signatures, their technique would place quite a burden on the group manager who would have to generate updates for each unrevoked individual credential. 1.2

Our Contribution

For the time being and despite over a decade of research efforts, group signatures in the standard model have no revocation mechanism allowing for scalable (i.e., constant or polylogarithmic) verification time without dramatically degrading the efficiency in other metrics and without being history-dependent. In pairingbased group signatures, accumulator-based approaches are unlikely to result in solutions supporting very large groups. The reason is that, in known pairing-based accumulators [53, 27], public keys have linear size in the maximal number of accumulated values (unless one sacrifices the constant size of proofs of 1

An accumulator allows hashing a set of values into a short string of constant size while allowing to efficiently prove that a specific value was accumulated.

2

non-membership as in [5]), which would result in linear-size group public keys in straightforward implementations. Recently [35], Fan et al. suggested a different way to use the accumulator of [27] and announced constant-size group public keys but their scheme still requires the group manager to publicize O(N ) values at each revocation. In a revocation mechanism along the lines of [29], Boneh, Boyen and Shacham [16] managed to avoid linear dependencies. However, their technique seems hard to combine2 with Groth-Sahai proofs [40] so as to work in the standard model, which is our goal. In addition, we would like to save unrevoked users from having to update their keys after each revocation. To this end, it seems possible to adapt the approach of Nakanishi et al. [49] in the standard model. However, merely replacing sigma-protocols by Groth-Sahai proofs in the scheme of [49] would result in group public keys of size O(N 1/2 ) in the best case. In this paper, we describe a novel and scalable revocation technique that interacts nicely with GrothSahai proofs and gives constructions in the standard model with O(1) verification cost and at most polylogarithmic complexity in other metrics. Our approach bears similarities with the one of Nakanishi et al. [49] in that it does not require users to update their membership certificates at any time but, unlike [49], our group public key size is either O(log N ) or constant. Like the scheme of [49], our main system uses revocation lists (RLs) of size O(r) – which is in line with certificate revocation lists of standard PKIs – and we emphasize that these are not part of the group public key: verifiers only need to know the number of the latest revocation epoch and they do not have to read RLs entirely. To obtain our constructions, we turn to the area of broadcast encryption and build on the Subset Cover framework of Naor, Naor and Lotspiech [51] (NNL). In a nutshell, the idea is to use the NNL ciphertext as a revocation list and have non-revoked signers prove their ability to decrypt in order to convince verifiers that they are not revoked. In its public-key variant, due to Dodis and Fazio [34], the Subset Cover framework relies on hierarchical identity-based encryption (HIBE) [44, 37] and each NNL ciphertext consists of several HIBE encryptions. To anonymously sign a message, we let group members commit to the specific HIBE ciphertext that they can decrypt (which gives constant-size signatures since only one ciphertext is committed to), and provide a non-interactive proof that: (i) they hold a private key which decrypts the committed HIBE ciphertext. (ii) The latter belongs to the revocation list. By applying this approach to the Subset Difference (SD) method [51], we obtain a scheme with O(1)-size signatures, O(log N )-size group public keys, membership certificates of size O(log3 N ) and revocation lists of size O(r). The Layered Subset Difference method [41] can be used in the same way to obtain membership certificates of size O(log2.5 N ) while retaining the same efficiency elsewhere. Using the Complete Subtree method, we also obtain a tradeoff with O(r · log N ) revocation lists, log-size membership certificates and constant-size group public keys (comparisons among schemes are given in Section 4). A natural question is whether our SD-based revocable group signatures can generically use any HIBE scheme. The answer is negative as the Boneh-Boyen-Goh (BBG) construction [15] is currently the only suitable candidate. For anonymity reasons, ciphertexts should be of constant size and our security proof requires the HIBE system to satisfy a new and non-standard security property which is met by [15]. As we will see, the proof can hardly rely on the standard security notion for HIBE schemes [37]. We note that the new revocation mechanism can find applications in contexts other than group signatures. For example, it seems that it can be used in the oblivious transfer with access control protocol of [26], which also uses the technique of Nakanishi et al. [49] to revoke credentials.

2

In the scheme of [16], signing keys consist of pairs (g 1/(ω+s) , s) ∈ G × Zp , where ω ∈ Zp is the private key of the group manager, and the revocation mechanism relies on the availability of the exponent s ∈ Zp . In the standard model, the Groth-Sahai techniques would require to turn the membership certificates into triples (g 1/(ω+s) , g s , us ), for some u ∈ G (as in [21]), which is no longer compatible with the revocation technique.

3

2 2.1

Background Bilinear Maps and Complexity Assumptions

We use bilinear maps e : G × G → GT over groups of prime order p where e(g, h) 6= 1GT if and only if g, h 6= 1G . In these groups, we rely on hardness assumptions that are all falsifiable [52]. Definition 1 ([16]). The Decision Linear Problem (DLIN) in G, is to distinguish the distributions R R (g a , g b , g ac , g bd , g c+d ) and (g a , g b , g ac , g bd , g z ), with a, b, c, d ← Z∗p , z ← Z∗p . The Decision Linear Assumption is the intractability of DLIN for any PPT distinguisher D. q

Definition 2 ([13]). The q-Strong Diffie-Hellman problem (q-SDH) in G is, given (g, g a , . . . , g (a ) ), R R for some g ← G and a ← Zp , to find a pair (g 1/(a+s) , s) ∈ G × Zp . Finally, we appeal to yet another “q-type” assumption introduced by Abe et al. [2]. Definition 3 ([2]). In a group G, the q-Simultaneous Flexible Pairing Problem (q-SFP) is, given gz , hz , gr , hr , a, a ˜, b, ˜b ∈ G and q ∈ poly(λ) tuples (zj , rj , sj , tj , uj , vj , wj ) ∈ G7 such that e(a, a ˜) = e(gz , zj ) · e(gr , rj ) · e(sj , tj )

and

e(b, ˜b) = e(hz , zj ) · e(hr , uj ) · e(vj , wj ),

(1)

to find a new tuple (z ? , r? , s? , t? , u? , v ? , w? ) ∈ G7 satisfying relation (1) and such that z ? 6= 1G and z ? 6= zj for j ∈ {1, . . . , q}. 2.2

Groth-Sahai Proof Systems

In the following notations, for equal-dimension vectors or matrices A and B containing group elements, A B stands for their entry-wise product. In their instantiations based on the DLIN assumption, the Groth-Sahai (GS) techniques [40] make use of prime order groups and a common reference string comprising vectors f~1 , f~2 , f~3 ∈ G3 , where f~1 = (f1 , 1, g), ~ = (1, 1, X) f~1 r f~2 s f~3 t f~2 = (1, f2 , g) for some f1 , f2 ∈ G. To commit to an element X ∈ G, one sets C ξ1 ξ2 R with r, s, t ← Z∗p . When the CRS is configured to give perfectly sound proofs, we have f~3 = f~1 f~2 where ~ = (f r+ξ1 t , f s+ξ2 t , X · g r+s+t(ξ1 +ξ2 ) ) are then Boneh-Boyen-Shacham (BBS) ξ1 , ξ2 ∈ Z∗p . Commitments C 2 1 ciphertexts [16] that can be decrypted using β1 = logg (f1 ), β2 = logg (f2 ). In the witness indistinguishability ~ is a perfectly hiding commitment. Under the (WI) setting, vectors f~1 , f~2 , f~3 are linearly independent and C DLIN assumption, the two kinds of CRS are computationally indistinguishable. r s R ~ =ϕ To commit to a scalar x ∈ Zp , one computes C ~ x f~1 f~2 , where r, s ← Z∗p , using a CRS comprising vectors ϕ ~ , f~1 , f~2 . In the soundness setting, ϕ ~ , f~1 , f~2 are linearly independent (typically ϕ ~ = f~3 (1, 1, g) ξ1 ξ2 ξ1 ξ2 where f~3 = f~1 f~2 ) whereas, in the WI setting, choosing ϕ ~ = f~1 f~2 gives a perfectly hiding ~ is always a BBS encryption of 1G , no matter which exponent x is committed to. commitment since C To prove that committed variables satisfy a set of relations, the prover computes one commitment per variable and one proof element (made of a constant number of group elements) per relation. Such proofs are available for pairing-product equations, which are relations of the type n Y

e(Ai , Xi ) ·

i=1

n Y n Y · e(Xi , Xj )aij = tT ,

(2)

i=1 j=1

for variables X1 , . . . , Xn ∈ G and constants tT ∈ GT , A1 , . . . , An ∈ G, aij ∈ Zp , for i, j ∈ {1, . . . , n}. Efficient proofs also exist for multi-exponentiation equations m Y i=1

Ayi i

·

n Y j=1

b Xj j

m Y n Y yγ · · Xj i ij = T, i=1 j=1

4

(3)

for variables X1 , . . . , Xn ∈ G, y1 , . . . , ym ∈ Zp and constants T, A1 , . . . , Am ∈ G, b1 , . . . , bn ∈ Zp and γij ∈ G, for i ∈ {1, . . . , m}, j ∈ {1, . . . , n}. In pairing-product equations, proofs for quadratic equations require 9 group elements whereas linear equations (i.e., where aij = 0 for all Q i, j in equation (2)) only take 3 group elements each. Linear multiyi exponentiation equations of the type m i=1 Ai = T demand 2 group elements. Multi-exponentiation equations admit zero-knowledge (NIZK) proofs at no additional cost. On a simulated CRS (prepared for the WI setting), a trapdoor makes it is possible to simulate proofs without knowing witnesses and simulated proofs have the same distribution as real proofs. In contrast, pairing-product equations do not always have NIZK proofs. Fortunately, NIWI proofs will be sufficient here. 2.3

Structure-Preserving Signatures

Several applications (see [2, 3, 36, 31, 4] for examples) require to sign groups elements while preserving the feasibility of efficiently proving that a committed signature is valid for a committed group element. In [2, 3], Abe, Haralambiev and Ohkubo showed how to conveniently sign n group elements at once using signatures consisting of O(1) group elements. Their scheme (which is referred to as the AHO signature in the paper) makes use of bilinear groups of prime order. In the context of symmetric pairings, the description below assumes public parameters pp = (G, GT ), g consisting of groups (G, GT ) of order p > 2λ , where λ ∈ N is a security parameter, with a bilinear map e : G × G → GT and a generator g ∈ G. Keygen(pp, n): given an upper bound n ∈ N on the number of group elements that can be signed altogether, R R R choose generators Gr , Hr ← G. Pick γz , δz ← Zp and γi , δi ← Zp , for i = 1 to n. Then, compute Gz = Gγr z , Hz = Hrδz and Gi = Gγr i , Hi = Hrδi for each i ∈ {1, . . . , n}. Finally, choose exponents R Zp and define A = e(Gr , g αa ) and B = e(Hr , g αb ). Set the public key as αa , αb ← pk = Gr , Hr , Gz , Hz , {Gi , Hi }ni=1 , A, B ∈ G2n+4 × G2T while the private key consists of sk = αa , αb , γz , δz , {γi , δi }ni=1 . Sign(sk, (M1 , . . . , Mn )): to sign a vector (M1 , . . . , Mn ) ∈ Gn using sk = (αa , αb , γz , δz , {γi , δi }ni=1 ), choose R ζ, ρ, τ, ν, ω ← Zp and compute θ1 = g ζ as well as θ2 = g ρ−γz ζ ·

n Y

Mi−γi ,

θ3 = Gτr ,

θ4 = g (αa −ρ)/τ ,

Mi−δi ,

θ6 = Hrω ,

θ7 = g (αb −ν)/ω ,

i=1

θ5 = g ν−δz ζ ·

n Y i=1

The signature consists of σ = (θ1 , θ2 , θ3 , θ4 , θ5 , θ6 , θ7 ). Verify(pk, σ, (M1 , . . . , Mn )): parse σ as (θ1 , θ2 , θ3 , θ4 , θ5 , θ6 , θ7 ) ∈ G7 and return 1 iff these equalities hold: A = e(Gz , θ1 ) · e(Gr , θ2 ) · e(θ3 , θ4 ) · B = e(Hz , θ1 ) · e(Hr , θ5 ) · e(θ6 , θ7 ) ·

n Y i=1 n Y

e(Gi , Mi ),

(4)

e(Hi , Mi ).

(5)

i=1

In [2, 3], the scheme was proved to be existentially unforgeable under chosen-message attacks under the q-SFP assumption, where q is the maximal number of signing queries. 5

Abe et al. [2, 3] also showed that signatures can be publicly randomized to obtain a different signature {θi0 }7i=1 ← ReRand(pk, σ) on (M1 , . . . , Mn ). After randomization, we have θ10 = θ1 while {θi0 }7i=2 are uniformly distributed among the values satisfying the equalities e(Gr , θ20 ) · e(θ30 , θ40 ) = e(Gr , θ2 ) · e(θ3 , θ4 ) and e(Hr , θ50 ) · e(θ60 , θ70 ) = e(Hr , θ5 ) · e(θ6 , θ7 ). Moreover, {θi0 }i∈{3,4,6,7} are statistically independent of (M1 , . . . , Mn ) and the rest of the signature. This implies that, in anonymity-related protocols, re-randomized {θi0 }i∈{3,4,6,7} can be safely revealed as long as (M1 , . . . , Mn ) and {θi0 }i∈{1,2,5} are given in committed form. In [4], Abe, Groth, Haralambiev and Ohkubo described a more efficient structure-preserving signature based on interactive assumptions. Here, we use the scheme of [2, 3] so as to rely on falsifiable assumptions. 2.4

The NNL Framework for Broadcast Encryption

The Subset Cover framework [51] considers secret-key broadcast encryption schemes with N = 2` registered receivers. Each one of them is associated with a leaf of a complete binary tree T of height ` and each tree node is assigned a secret key. If N denotes the universe of users and R ⊂ N is the set of revoked receivers, the idea of the framework is to partition the set of non-revoked users into m disjoint subsets S1 , . . . , Sm such that N \R = S1 ∪ . . . ∪ Sm . Depending on the way to partition N \R and the distribution of keys to users, different instantiations and tradeoffs are possible. The Complete Subtree Method. In this technique, each subset Si consists of the leaves of a complete subtree rooted at some node xi of T. Upon registration, each user obtains secret keys for all nodes on the path connecting his leaf to the root of T (and thus O(`) keys overall). By doing so, users in N \R can decrypt the content if the latter is enciphered using symmetric keys K1 , . . . , Km corresponding to the roots of subtrees S1 , . . . , Sm . As showed in [51], the CS partitioning method entails at most m ≤ r · log(N/r) subsets, where r = |R|. Each transmission requires to send O(r · log N ) symmetric encryptions while, at each user, the storage complexity is O(log N ). As noted in [51, 34], a single-level identity-based encryption scheme allows implementing a public-key variant of the CS method. The master public key of the IBE scheme forms the public key of the broadcast encryption system, which allows for public keys of size O(1) (instead of O(N ) in instantiations using ordinary public-key encryption). When users join the system, they obtain O(`) IBE private keys (in place of symmetric keys) associated with the “identities” of nodes on the path between their leaf and the root. The Subset Difference Method. The SD method reduces the transmission cost to O(r) at the expense of increased storage requirements. For each node xj ∈ T, we call Txj the subtree rooted at xj . The set N \R is now divided into disjoint subsets Sk1 ,u1 , . . . , Skm ,um . For each i ∈ {1, . . . , m}, the subset Ski ,ui is determined by a node xki and one of its descendants xui – which are called primary and secondary roots of Ski ,ui , respectively – and it consists of the leaves of Txki that are not in Txui . Each user thus belongs to much more generic subsets than in the CS method and this allows reducing the maximal number of subsets to m = 2r − 1 (see [51] for a proof of this bound). A more complex key distribution is necessary to avoid a prohibitive storage overhead. Each subset Ski ,ui is assigned a “proto-key” Pxki ,xui that allows deriving the actual symmetric encryption key Kki ,ui for Ski ,ui and as well as proto-keys Pxki ,xul for any descendant xul of xui . At the same time, Pxki ,xul should be hard to compute without a proto-key Pxki ,xui for an ancestor xui of xul . The key distribution phase then proceeds as follows. Let user i be assigned a leaf vi and let = x0 , x1 , . . . , x` = vi denote the path from the root to vi . For each subtree Txj (with j ∈ {1, . . . , `}), if copathxj denotes the set of all siblings of nodes on the path from xj to vi , user i must obtain proto-keys Pxj ,w for each node w ∈ copathxj because he belongs to the generic subset whose primary root is xj and whose secondary root is w. By storing O(`2 ) proto-keys (i.e., O(`) for each subtree Txj ), users will be able to derive keys for all generic subsets they belong to. In [34], Dodis and Fazio extended the SD method to the public-key setting using hierarchical identitybased encryption. In the tree, each node w at depth ≤ ` has a label hwi which is defined by assigning the 6

label ε to the root (at depth 0). The left and right children of w are then labeled with hwi||0 and hwi||1, respectively. For each subset Ski ,ui of N \R, the sender considers the primary and secondary roots xki , xui and parses the label hxui i as hxki i||ui,`i,1 . . . ui,`i,2 , with ui,j ∈ {0, 1} for each j ∈ {`i,1 , . . . , `i,2 }. Then, he computes a HIBE ciphertext for the hierarchical identity (hxki i, ui,`i,1 , . . . , ui,`i,2 ) at level `i,2 − `i,1 + 2. Upon registration, if = x0 , . . . , x` = vi denotes the path from the root to his leaf vi , for each subtree Txj , user i receives exactly one HIBE private key for each w ∈ copathxj : namely, for each w ∈ copathxj , there exist `1 , `2 ∈ {1, . . . , `} such that hwi = hxj i||w`1 . . . w`2 with wj ∈ {0, 1} for all j ∈ {`1 , . . . , `2 } and user i obtains a HIBE private key for the hierarchical identity (hxj i, w`1 , . . . , w`2 ). By construction, this key will allow user i to decrypt any HIBE ciphertext encrypted for a subset whose primary root is xj and whose secondary root is a descendant of w. Overall, each user thus has to store O(log2 N ) HIBE private keys. 2.5

Revocable Group Signatures

We consider group signature schemes that have their lifetime divided into revocation epochs at the beginning of which group managers update their revocation lists. The syntax and the security model are similar to [49] but they build on those defined by Kiayias and Yung [45]. Like the Bellare-Shi-Zhang model [11], the latter assumes an interactive join protocol between the group manager and the prospective user. This protocol provides the user with a membership certificate and a membership secret. Such protocols may consist of several rounds of interaction. Syntax. We denote by N ∈ poly(λ) the maximal number of group members. At the beginning of each revocation epoch t, the group manager publicizes an up-to-date revocation list RLt and we denote by Rt ⊂ {1, . . . , N } the corresponding set of revoked users (we assume that Rt is part of RLt ). A revocable group signature (R-GS) scheme consists of the following algorithms or protocols. Setup(λ, N ): given a security parameter λ ∈ N and a maximal number of group members N ∈ N, this algorithm (which is run by a trusted party) generates a group public key Y, the group manager’s private key SGM and the opening authority’s private key SOA . Keys SGM and SOA are given to the appropriate authority while Y is publicized. The algorithm also initializes a public state St comprising a set data structure Stusers = ∅ and a string data structure Sttrans = . Join: is an interactive protocol between the group manager GM and a user Ui where the latter becomes a group member. The protocol involves two interactive Turing machines Juser and JGM that both take as input Y. The execution, denoted as [Juser (λ, Y), JGM (λ, St, Y, SGM )], terminates with user Ui obtaining a membership secret seci , that no one else knows, and a membership certificate certi . If the protocol successfully terminates, the group manager updates the public state St by setting Stusers := Stusers ∪{i} as well as Sttrans := Sttrans ||hi, transcripti i. Revoke: is a (possibly randomized) algorithm allowing the GM to generate an updated revocation list RLt for the new revocation epoch t. It takes as input a public key Y and a set Rt ⊂ Stusers that identifies the users to be revoked. It outputs an updated revocation list RLt for epoch t. Sign: given a revocation epoch t with its revocation list RLt , a membership certificate certi , a membership secret seci and a message M , this algorithm outputs ⊥ if i ∈ Rt and a signature σ otherwise. Verify: given a signature σ, a revocation epoch t, the corresponding revocation list RLt , a message M and a group public key Y, this deterministic algorithm returns either 0 or 1. Open: takes as input a message M , a valid signature σ w.r.t. Y for the indicated revocation epoch t, the opening authority’s private key SOA and the public state St. It outputs i ∈ Stusers ∪ {⊥}, which is the identity of a group member or a symbol indicating an opening failure. Each membership certificate contains a unique tag that identifies the user. A R-GS scheme must satisfy three security notions defined in appendix A. The first one is called security against misidentification attacks. It requires that, even if the adversary can introduce and revoke users at 7

will, it cannot produce a signature that traces outside the set of unrevoked adversarially-controlled users. As in ordinary (i.e., non-revocable) group signatures, the notion of security against framing attacks mandates that, even if the whole system colludes against a user, that user will not bear responsibility for messages that he did not sign. Finally, the notion of anonymity is also defined (in the presence of a signature opening oracle) as in the models of [11, 45].

3

A Revocable Group Signature Based on the Subset Difference Method

As already mentioned, the idea is to turn the NNL global ciphertext into a revocation list in the group signature. Each group member is associated with a leaf of a binary tree of height ` and the outcome of the join protocol is the user obtaining a membership certificate that contains the same key material as in the public-key variant of the SD method (i.e., O(`2 ) HIBE private keys). To ensure traceability and non-frameability, these NNL private keys are linked to a group element X, that only the user knows the discrete logarithm of, by means of structure-preserving signatures. At each revocation epoch t, the group manager generates an up-to-date revocation list RLt consisting of O(r) HIBE ciphertexts, each of which is signed using a structure-preserving signature. When it comes to sign a message, the user Ui proves that he is not revoked by providing evidence that he is capable of decrypting one of the HIBE ciphertexts in RLt . To this end, Ui commits to that HIBE ciphertext Cl and proves that he holds a key that decrypts Cl . To convince the verifier that Cl belongs to RLt , he proves knowledge of a signature on the committed HIBE ciphertext Cl (this technique is borrowed from the set membership and range proofs of [57, 25]). Of course, to preserve the anonymity of signers, we need a HIBE scheme with constant-size ciphertexts (otherwise, the length of the committed ciphertext could betray the signer’s location in the tree), which is why the Boneh-Boyen-Goh construction [15] is the ideal candidate. The scheme is made anonymous and non-frameable using the same techniques as Groth [39] in steps 4-6 of the signing algorithm. As for the security against misidentification attacks, we cannot prove it by relying on the standard collusion-resistance (captured by Definition 7 in appendix B.1) of the HIBE scheme. In the proof of Theorem 1, the problem appears in the treatment of forgeries that open to a revoked user: while this user cannot have obtained a private key that decrypts the committed HIBE ciphertext of the forgery (because he is revoked), unrevoked adversarially-controlled users can. To solve this problem, we need to rest on a non-standard security property (formalized by Definition 8 in appendix B.1) called “key-robustness”. This notion asks that, given a private key generated for some hierarchical identity using specific random coins, it be infeasible to compute the private key of a different identity for the same random coins and even knowing the master secret key of the HIBE scheme. While unusual, this property can be proved (by Lemma 1 in appendix B.2) under the standard Diffie-Hellman assumption for the BBG construction. Perhaps surprisingly, even though we rely on the BBG HIBE, we do not need its underlying q-type assumption [15]. The reason is that the master secret key of the scheme is unnecessary here as its role is taken over by the private key of a structure-preserving signature. In the ordinary BBG system (recalled in appendix B.2), private keys contain components of the form (g2α · F (ID)r , g r ), for some r ∈ Zp , where g2α is the master secret key and F (ID) is a function of the hierarchical identity. In the join protocol, the master key g2α disappears: the user obtains a private key of the form (F (ID)r , g r ) and an AHO signature is used to bind the user’s membership public key X to g r . The latter can be thought of as a public key for a one-time variant (the one-time nature is what allows for a proof of selective-message security in the standard model) of the Boneh-Lynn-Shacham signature [17]. The underlying one-time private key r ∈ Zp is used to compute F (ID)r as well as a number of delegation components allowing to derive signatures for messages that ID is a prefix of (somewhat in the fashion of wildcard signatures [1][Section 6]). 8

3.1

Construction

As in Section 2.4, hxi denotes the label of node x ∈ T and, for any sub-tree Txj rooted at xj and any leaf vi of Txj , copathxj denotes the set of all siblings of nodes on the path from xj to vi , not counting xj itself. As is standard in group signatures, the description below assumes that, before joining the group, user Ui chooses a long term key pair (usk[i], upk[i]) and registers it in some PKI. Setup(λ, N ): given a security parameter λ ∈ N and the permitted number of users N = 2` , R 1. Choose bilinear groups (G, GT ) of prime order p > 2λ , with a generator g ← G. (0) (0) (1) (1) 2. Generate two key pairs (skAHO , pkAHO ) and (skAHO , pkAHO ) for the AHO signature in order to sign messages of two group elements. These key pairs consist of (d) (d) (d) (d) γi δ (d) (d) (d) (d) δz (d) (d) γz = Hr i }2i=1 , A(d) , B (d) pkAHO = G(d) r , Hr , Gz = Gr , Hz = Hr , {Gi = Gr , Hi

(d) (d) (d) (d) (d) (d) (d) and skAHO = αa , αb , γz , δz , {γi , δi }2i=1 , where d ∈ {0, 1}. 3. As a CRS for the NIWI proof system, select vectors f = (f~1 , f~2 , f~3 ) s.t. f~1 = (f1 , 1, g) ∈ G3 , ξ2 ξ1 R R G and β1 , β2 , ξ1 , ξ2 ← Z∗ . f~2 = (1, f2 , g) ∈ G3 , and f~3 = f~1 · f~2 , with f1 = g β1 , f2 = g β2 ← p

R 4. Choose (U, V ) ← G2 that, together with f1 , f2 , g, will form a public encryption key. 3 5. Generate a master public key mpkBBG for the Boneh-Boyen-Goh HIBE. Such a public key consists ` of mpkBBG = {hi }i=0 , where ` = log2 (N ), and no master secret key is needed. 6. Select an injective encoding4 function H : {0, 1}≤` → Z∗p and a strongly unforgeable one-time signature Σ = (G, S, V). (0) (1) 7. Set SGM := skAHO , skAHO , SOA := β1 , β2 as authorities’ private keys and the group public key is (0) (1) Y := g, pkAHO , pkAHO , mpkBBG , f , (U, V ), H, Σ .

Join(GM,Ui ) : the GM and the prospective user Ui run the following protocol [Juser (λ, Y), JGM (λ, St, Y, SGM )]: R 1. Juser (λ, Y) picks x ← Zp and computes X = g x which is sent to JGM (λ, St, Y, SGM ). If the value X already appears in some entry transcriptj of the database Sttrans , JGM aborts and returns ⊥ to Juser . 2. JGM assigns to Ui an available leaf vi of label hvi i = vi,1 . . . vi,` ∈ {0, 1}` in the tree T. Let x0 = , x1 , . . . , x`−1 , x` = vi be the path from vi to the root of T. For j = 0 to `, JGM does the following.

a. Consider the sub-tree Txj rooted at node xj . Let copathxj be the co-path from xj to vi . b. For each node w ∈ copathxj , since xj is an ancestor of w, hxj i is a prefix of hwi and we denote by w`1 . . . w`2 ∈ {0, 1}`2 −`1 +1 , for some `1 ≤ `2 ≤ `, the suffix of hwi coming right after hxj i. R b.1 Choose a random r ← Zp and compute a HIBE private key

dw = (Dw,1 , Dw,2 , Kw,`2 −`1 +3 , . . . , Kw,` ) H(w` ) H(w` ) r H(hx i) = h0 · h1 j · h2 1 · · · h`2 −`12+2 , g r , hr`2 −`1 +3 , . . . , hr` for the identity (H(hxj i), H(w`1 ), . . . , H(w`2 )) ∈ (Z∗p )`2 −`1 +2 . (0)

b.2 Using skAHO , generate an AHO signature σw = (θw,1 , . . . , θw,7 ) on (X, Dw,2 ) ∈ G2 so as to bind the HIBE private key dw to the value X that identifies Ui . 3

4

As mentioned earlier, in comparison with the original HIBE scheme (recalled in appendix B.2) where mpkBBG includes (g1 = g α , g2 ) and mskBBG = g2α , the public elements g1 and g2 have disappeared. This encoding allows making sure that “identities” will be non-zero at each level. Since the set {0, 1}≤` is of cardinality P ` i `+1 − 1 < p − 1, such a function can be efficiently constructed without any intractability assumption. i=0 2 = 2

9

3. JGM sends hvi i ∈ {0, 1}` , and the HIBE private keys {{dw }w∈copathx }`j=0 to Juser that verifies their j validity. If these keys are all well-formed, J acknowledges them by generating a digital signature user sigi = Signusk[i] X||{{dw }w∈copathx }`j=0 and sends it back to JGM . j 4. JGM checks that Verifyupk[i] X||{{dw }w∈copathx }`j=0 , sigi = 1. If not JGM aborts. Otherwise, JGM j

returns the AHO signatures {{σw }w∈copathx }`j=0 to Juser and stores the conversation transcript j

transcripti = (X, {{dw , σw }w∈copathx }`j=0 , sigi ) in the database Sttrans .

j 5. Juser defines the membership certificate certi as certi = hvi i, {{dw , σw }w∈copathx }`j=0 , X , where X j will serve as the tag that identifies Ui . The membership secret seci is defined to be seci = x.

Revoke(Y, SGM , t, Rt ): (0) (1) 1. Parse SGM as SGM := skAHO , skAHO .

2. Using the SD covering algorithm, find a cover of the unrevoked user set {1, . . . , N }\Rt as the union of disjoint subsets of the form Sk1 ,u1 , . . . , Skm ,um , with m ≤ 2 · |Rt | − 1. 3. For i = 1 to m, do the following. a. Consider Ski ,ui as the difference between sub-trees rooted at an internal node xki and one of its descendants xui . The label of xui can be written hxui i = hxki i||ui,`i,1 . . . ui,`i,2 for some `i,1 < `i,2 ≤ ` and where ui,κ ∈ {0, 1} for each κ ∈ {`i,1 , . . . , `i,2 }. Then, compute an encoding of Ski ,ui as a group element H(hxki i)

Ci = h0 · h1

H(ui,`i,1 )

· h2

H(ui,`

)

i,2 · · · h`i,2 −`i,1 +2 .

Note that Ci can be thought of as a de-randomized HIBE ciphertext for the hierarchical identity H(hxki i), H(ui,`i,1 ), . . . , H(ui,`i,2 ) ∈ (Z∗p )`i,2 −`i,1 +2 . (1)

b. To authenticate the HIBE ciphertext Ci and bind it to the revocation epoch t, use skAHO to generate an AHO signature Θi = (Θi,1 , . . . , Θi,7 ) ∈ G7 on the pair (Ci , g t ) ∈ G2 , where the epoch number t is interpreted as an element of Zp . Return the revocation data RLt which is defined to be RLt = t, Rt , {hxki i, hxui i, Ci , Θi = (Θi,1 , . . . , Θi,7 ) }m i=1

(6)

Sign(Y, t, RLt , certi , seci , M ): return ⊥ if i ∈ Rt . Otherwise, to sign M ∈ {0, 1}∗ , generate a one-time signature key pair (SK, VK) ← G(λ). Parse certi as hvi i, {{(dw , σw )}w∈copathx }`j=0 , X and seci as j x ∈ Zp . Then, Ui conducts the following steps. 1. Using RLt , determine the set Skl ,ul , with l ∈ {1, . . . , m}, that contains the leaf vi (this subset must exist since i 6∈ Rt ) and let xkl and xul denote the primary and secondary roots of Skl ,ul . Since xkl is an ancestor of xul , we can write hxul i = hxkl i||ul,`1 . . . ul,`2 , for some `1 < `2 ≤ ` and with ul,κ ∈ {0, 1} for each κ ∈ {`1 , . . . , `2 }. The signer Ui computes a HIBE decryption key of the form H(hxkl i) H(ul,`1 ) H(ul,`2 ) r (Dl,1 , Dl,2 ) = h0 · h1 · h2 · · · h`2 −`1 +2 , gr . (7) This is possible since, if we denote by hxk,l i||ul,`1 . . . ul,`01 the shortest prefix of hxul i that is not a prefix of hvi i, the key material {dw }w∈copathx corresponding to the sub-tree rooted at xkl contains kl

a HIBE private key dw = (Dw,1 , Dw,2 , Kw,`01 −`1 +3 , . . . , Kw,` ) such that H(ul,`0 ) r H(hxkl i) H(ul,`1 ) 1 dw = h0 · h1 · h2 · · · h`0 −`1 +2 , g r , hr`0 −`1 +3 , . . . , hr` , 1

1

which allows deriving a key of the form (7) for the same r ∈ Zp (i.e., Dl,2 = Dw,2 ). 10

(1)

0 }7 2. To prove his ability to “decrypt” Cl , Ui first re-randomizes Θl as {Θl,i i=1 ← ReRand(pkAHO , Θl ). 0 }i∈{1,2,5} Then, he computes a Groth-Sahai commitment comCl to Cl as well as commitments {comΘl,i 0 } to {Θl,i i∈{1,2,5} . He generates a proof πCl that Cl is a certified HIBE ciphertext for epoch t: i.e., πCl provides evidence that (1)

(1)

0 0 −1 0 (1) 0 A(1) · e(Θl,3 , Θl,4 ) · e(G2 , g t )−1 = e(G(1) z , Θl,1 ) · e(Gr , Θl,2 ) · e(G1 , Cl ),

B

(1)

·

0 0 −1 e(Θl,6 , Θl,7 )

·

(1) e(H2 , g t )−1

=

0 e(Hz(1) , Θl,1 )

·

0 e(Hr(1) , Θl,5 )

·

(8)

(1) e(H1 , Cl ),

Then, Ui generates commitments {comDl,i }2i=1 to the HIBE key components {Dl,i }2i=1 derived at step 1 and computes a proof πDl that e(Dl,1 , g) = e(Cl , Dl,2 ). The latter is quadratic and requires 9 0 } group elements. Since {Θl,i i∈{3,4,6,7} are constants, equations (8) are linear and require 3 elements each. Hence, πCl and πDl take 15 elements altogether. (0)

0 }7 3. Let σl = (θl,1 , . . . , θl,7 ) be the AHO signature on (X, Dl,2 ). Compute {θl,i i=1 ← ReRand(pkAHO , σl ) 0 0 }i∈{1,2,5} to {θ }i∈{1,2,5} as well as a commitment comX to X. and generate commitments {comθl,i l,i Then, generate a proof πσl that committed variables satisfy the verification equations (0)

(0)

0 0 −1 0 (0) 0 A(0) · e(θl,3 , θl,4 ) = e(G(0) z , θl,1 ) · e(Gr , θl,2 ) · e(G1 , X) · e(G2 , Dl,2 ), (0)

(0)

0 0 −1 0 B (0) · e(θl,6 , θl,7 ) = e(Hz(0) , θl,1 ) · e(Hr(0) , θl,5 ) · e(H1 , X) · e(H2 , Dl,2 )

Since these equations are linear, πσl requires 6 group elements. 4. Using VK as a tag (we assume that it is first hashed onto Zp in such a way that it can be interpreted R as a Zp element), compute a tag-based encryption [47] of X by drawing z1 , z2 ← Zp and setting (Ψ1 , Ψ2 , Ψ3 , Ψ4 , Ψ5 ) = f1z1 , f2z2 , X · g z1 +z2 , (g VK · U )z1 , (g VK · V )z2 . φX,1 φX,2 φX,3 5. Generate a NIZK proof that comX = (1, 1, X) · f~1 · f~2 · f~3 and (Ψ1 , Ψ2 , Ψ3 ) are BBS encryptions of the same value X. If we write f~3 = (f3,1 , f3,2 , f3,3 ), the Groth-Sahai commitment φ φ φ φ φ comX can be written as (f1 X,1 · f3,1X,3 , f2 X,2 · f3,2X,3 , X · g φX,1 +φX,2 · f3,3X,3 ), so that we have τ3 τ3 τ3 comX (Ψ1 , Ψ2 , Ψ3 )−1 = f1τ1 · f3,1 , f2τ2 · f3,2 , g τ1 +τ2 · f3,3

(9)

with τ1 = φX,1 − z1 , τ2 = φX,2 − z2 , τ3 = φX,3 . The signer Ui commits to τ1 , τ2 , τ3 ∈ Zp (by φτ ,1 φτ ,2 computing comτ = ϕ ~ τj · f~1 j · f~2 j , for j ∈ {1, 2, 3}, using the vector ϕ ~ = f~3 ·(1, 1, g) and random j

{φτj ,1 , φτj ,2 }3j=1 ), and generates proofs {πeq-com,j }3j=1 that τ1 , τ2 , τ3 satisfy the three relations (9). Since these are linear equations, proofs {πeq-com,j }3j=1 cost 2 elements each. 6. Compute σVK = g 1/(x+VK) and generate a commitment comσVK to σVK . Then, generate a NIWI proof that committed variables σVK and X satisfy e(σVK , X · g VK ) = e(g, g). This relation is quadratic and requires a proof consisting of 9 group elements. We denote this proof by πσVK = (~πσVK ,1 , ~πσVK ,2 , ~πσVK ,3 ). 0 , θ0 } 7. Compute σots = S(SK, (M, RLt , Ψ1 , Ψ2 , Ψ3 , Ψ4 , Ψ5 , Ω, com, Π)) where Ω = {Θl,i l,i i∈{3,4,6,7} and 3 0 }i∈{1,2,5} , {comθ 0 }i∈{1,2,5} , {comτ } com = comCl , {comDl,i }2i=1 , comX , {comΘl,i i i=1 , comσVK l,i

Π = (πCl , πDl , πσl , πeq-com,1 , πeq-com,2 , πeq-com,3 , πσVK ) Return the signature σ = VK, Ψ1 , Ψ2 , Ψ3 , Ψ4 , Ψ5 , Ω, com, Π, σots . Verify(σ, M, t, RLt , Y): parse σ as above and do the following. 11

1. If V(VK, (M, RLt , Ψ1 , Ψ2 , Ψ3 , Ψ4 , Ψ5 , Ω, com, Π), σots ) = 0, return 0. 2. Return 0 if e(Ψ1 , g VK · U ) 6= e(f1 , Ψ4 ) or e(Ψ2 , g VK · V ) 6= e(f2 , Ψ5 ). 3. Return 1 if all proofs properly verify. Otherwise, return 0. Open(M, t, RLt , σ, SOA , Y, St): given SOA = (β1 , β2 ), parse the signature σ as above and return ⊥ if ˜ = Ψ3 · Ψ −1/β1 · Ψ −1/β2 . In the database Sttrans , Verify(σ, M, t, RLt , Y) = 0. Otherwise, compute X 1 2 ˜ If no such record find a record hi, transcripti = (X, {{dw , σw }w∈copathx }`j=0 , sigi )i such that X = X. j exists in Sttrans , return ⊥. Otherwise, return i. From an efficiency point of view, for each i ∈ {1 . . . , m}, RLt comprises 8 group elements plus the labels of nodes that identify Ski ,ui . If λG denotes the bitlength of a group element, the number of bits of RLt is thus bounded by 2 · |Rt | · (8 · λG + 2 log N ) < 2 · |Rt | · (9λG ) bits (as log N < λG /2 since λ ≤ λG and N is polynomial). The size of revocation lists thus amounts to that of at most 18 · |Rt | group elements. Group members need O(log3 N ) group elements to store their membership certificate. As far as the size of signatures goes, com and Π require 42 and 36 group elements, respectively. If the one-time signature of [38] is used, σ consists of 96 group elements, which is less than twice the size of Groth’s signatures [39]. At the 128-bit security level, if each element has a representation of 512 bits, a signature takes 6 kB. Verifying signatures takes constant time. The cost of each signature generation is dominated by at most ` = log N exponentiations to derive a HIBE private key at step 1. However, this step only has to be executed once per revocation epoch, at the first signature of that epoch. 3.2

Security

Theorem 1 (Misidentification). The scheme is secure against misidentification attacks assuming that the q-SFP problem is hard for q = max(`2 · qa , qr2 ), where qa and qr denote the maximal numbers of Qa-join queries and Qrevoke queries, respectively, and ` = log N . Proof. To mount a successful misidentification attack, the adversary A must output a non-trivial signature for which the opening algorithm fails to point to an unrevoked adversarially-controlled group member. ? ? ? ? ? ? ? ? ? ? ? Let σ = VK , Ψ1 , Ψ2 , Ψ3 , Ψ4 , Ψ5 , Ω , com , Π , σots denote A’s forgery and parse com? as com? = com?C , {com?Di }2i=1 , com?X , {com?Θ0 }i∈{1,2,5} , {com?θ0 }i∈{1,2,5} , {com?τi }3i=1 , com?σVK? . i

i

By hypothesis, it must be the case that Open(M ? , t? , RLt? , σ ? , SOA , Y, St) 6∈ U a \Rt? , where U a denotes the set of adversarially-controlled users. Depending on extractable commitments com?X , com?C , {com?Di }2i=1 , {com?Θ0 }i∈{1,2,5} , {com?θ0 }i∈{1,2,5} and their contents, we distinguish the following cases: i

i

?

- Type I forgeries are those for which com?Cl contains a group element C ? such that (C ? , g t ) was never signed when the latest revocation list RLt? was generated. - Type II forgeries are such that com?C contains a properly certified HIBE ciphertext for epoch t? (say ? are the HIBE ciphertexts of RL ? ). However, the C ? = Cl? , for some l ∈ {1, . . . , m}, where C1? , . . . , Cm t ? execution of Open reveals a previously unseen X or points some revoked user i ∈ U a ∩ Rt? although σ ? provides convincing evidence that the committed private key (D1? , D2? ) allows decrypting Cl? and that committed elements {θi? }7i=1 form a valid signature on (X ? , D2? ). In this case, we have two situations: a. The pair (X ? , D2? ) was not signed by JGM in any execution of Join. It means that either: (1) Open uncovers a value X ? that does not appear anywhere in Sttrans . (2) The traced user i ∈ U a ∩ Rt? colluded with some unrevoked user j ∈ U a whose leaf is in Skl ,ul – which Cl? is an encoding of – and managed to forge an AHO signature so as to link his X ? to an authorized key (D1? , D2? ) for Skl ,ul . 12

b. The pair (X ? , D2? ) was signed by JGM at some execution of Join. At first, we would like to use the Type II.b adversary to break the standard selective semantic security of the HIBE system (cf. Definition 7 in appendix B). As it turns out, even if we were using the original BBG HIBE (with its master secret key), such a reduction would be unlikely to work because the set Skl ,ul may contain unrevoked users in U a , so that A obtained private keys that do decrypt Cl? . Instead, we rely on the security property that we call “key-robustness” (defined in appendix B.1) and which relies on a weaker assumption than the standard security of the BBG HIBE. Observe that, when user i joined the group, he cannot have been issued the private key (D1? , D2? ) (which is an authorized key for Skl ,ul ) since he is revoked at epoch t? . However, since (X ? , D2? ) was signed by JGM , user i must have obtained from JGM a HIBE private key of the form (D1 , D2? ), where D1 6= D1? , for an identity other than the one encoded by Skl ,ul . In this case, as will be showed in Lemma 2, the key-robustness property is necessarily broken in the HIBE scheme. It is easy to see that Type I and Type II.a forgeries imply a forger against the AHO signature scheme (the proof is straightforward and omitted). Lemma 2 (in appendix C) demonstrates that a Type II.b attack necessarily contradicts the keyrobustness property (formally defined in appendix B.1) of the Boneh-Boyen-Goh HIBE scheme and thus the Diffie-Hellman assumption, as established by Lemma 1 in appendix B.2. Finally, one can readily check that an adversary cannot produce a signature σ ? allowing to win the misidentification game without being one of the above kinds of forgeries. The result of the theorem follows from the fact that the SFP assumption implies the CDH assumption. t u The security against framing attacks and the anonymity property rely on the SDH and DLIN assumptions, respectively, and the proofs are given in appendices D.1 and D.2.

4

Efficiency Comparisons

This section discusses the comparative efficiency of known pairing-based revocable group signatures. We focus on revocation methods that are more efficient than generic revocation techniques: for example, we do not consider techniques (such as the one recalled in [19][Section 5.4]) consisting in privately sending new keys to all remaining users at each revocation. Also, we only consider schemes where group members are stateless and do not have to update their membership certificate every time a revocation occurs. In table 1, all sizes are given in terms of number of group elements, each one of which costs O(λ) bits to represent. Table 1. Comparison between pairing-based revocable group signatures Schemes NFHF1 [49] NFHF2 [49] BS [18] NF [50] LV [48] This work (SD) This work (CS)

Group public Signature Membership key size size certificate size O(N ) O(N 1/2 ) O(1) O(T )♦ O(T )♦ O(log N ) O(1)

N : max. number of users;

O(1) O(1) O(1) O(1) O(1) O(1) O(1)

O(1) O(1) O(1) O(1) O(1) O(log3 N ) O(log N )

Revocation list size

Signature Verification cost cost

O(r) O(1) O(r) O(1) O(r) O(1) O(r) O(1) O(r) O(1) O(r) O(log N )† O(r · log(N/r)) O(1)‡

r: number of revocations

‡

O(1) O(1) O(r) O(r) O(r) O(1) O(1)

Revocation cost

Standard model?

O(r) O(r) O(1) O(r) O(r) O(r · log N )‡ O(r · log(N/r))‡

7 7 7 7 X X X

T : max. number of revocation epochs

♦ These schemes can be modified to have O(1)-size group public keys. † This complexity is only involved at the first signature of each revocation epoch. ‡ We only count arithmetic operations. In the signing algorithm, for example, we neglect O(log log N ) combinatorial operations at the beginning of each epoch.

13

As we can see, our CS and SD-based constructions are not only the first revocable group signatures with constant verification time in the standard model. Among schemes where revocations do not entail updates in unrevoked users’ credentials, they are also the only solutions offering O(1) verification cost and at most poly-logarithmic complexity in other metrics. In applications where one can afford a logarithmic expansion factor in the size of revocation lists, the CS method seems preferable as it features compact (meaning logarithmic according to the terminology used in [9, 19]) membership certificates. In situations where the size of the revocation list is to be minimized, the SD method should be preferred. Alternatively, the Layered Subset Difference approach (LSD) [41] provides an interesting tradeoff: at the expense of doubling the maximal size of revocation lists (which asymptotically remain of size O(r)), its basic variant allows reducing the size of membership certificates to O(log5/2 N ) as only O(log3/2 N ) HIBE private keys have to be stored.

Acknowledgements We thank the anonymous reviewers and Damien Vergnaud for useful comments.

References 1. M. Abdalla, E. Kiltz, G. Neven. Generalized Key Delegation for Hierarchical Identity-Based Encryption. In ESORICS’07, LNCS 4734, pp. 139–154. Springer, 2007. 2. M. Abe, K. Haralambiev, M. Ohkubo. Signing on Elements in Bilinear Groups for Modular Protocol Design. Cryptology ePrint Archive: Report 2010/133, 2010. 3. M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo. Structure-Preserving Signatures and Commitments to Group Elements. In Crypto’10, LNCS 6223, pp. 209–236, 2010. 4. M. Abe, J. Groth, K. Haralambiev, M. Ohkubo. Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups. In Crypto’11, LNCS 6841, pp. 649–666, 2011. 5. T. Acar, L. Nguyen. Revocation for Delegatable Anonymous Credentials. In PKC’11, LNCS 6571, pp. 423–440, 2011. 6. G. Ateniese, J. Camenisch, S. Hohenberger, B. de Medeiros. Practical group signatures without random oracles. Cryptology ePrint Archive: Report 2005/385, 2005. 7. G. Ateniese, J. Camenisch, M. Joye, G. Tsudik. A practical and provably secure coalition-resistant group signature scheme. In Crypto’00, LNCS 1880, pp. 255–270, 2000. 8. G. Ateniese, D. Song, G. Tsudik. Quasi-Efficient Revocation in Group Signatures. In Financial Cryptography’02, LNCS 2357, pp. 183–197, 2002. 9. M. Bellare, D. Micciancio, B. Warinschi. Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions. In Eurocrypt’03, LNCS 2656, pp. 614–629, 2003. 10. M. Bellare, P. Rogaway. Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In 1st ACM Conference on Computer and Communications Security, pp. 62–73, ACM Press, 1993. 11. M. Bellare, H. Shi, C. Zhang. Foundations of group signatures: The case of dynamic groups. In CT-RSA’05, LNCS 3376, pp. 136–153, 2005. 12. J. Benaloh, M. de Mare. One-Way Accumulators: A Decentralized Alternative to Digital Sinatures. In Eurocrypt’93, LNCS 4948, pp. 274–285, 1993. 13. D. Boneh, X. Boyen. Short Signatures Without Random Oracles. In Eurocrypt’04, LNCS 3027, pp. 56–73. Springer-Verlag, 2004. 14. D. Boneh, X. Boyen. Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles. In Eurocrypt’04, LNCS 3027, pp. 223–238, 2004. 15. D. Boneh, X. Boyen, E.-J. Goh. Hierarchical identity based encryption with constant size ciphertext. In Eurocrypt’05, LNCS 3494, pp. 440–456, 2005. 16. D. Boneh, X. Boyen, H. Shacham. Short Group Signatures. In Crypto’04, LNCS 3152, pp. 41–55. Springer, 2004. 17. D. Boneh, B. Lynn, H. Shacham. Short signatures from the Weil pairing. In Asiacrypt’01, LNCS 2248, pp. 514–532. Springer, 2001. 18. D. Boneh, H. Shacham. Group signatures with verifier-local revocation. In ACM-CCS’04, pp. 168–177. ACM Press, 2004. 19. X. Boyen, B. Waters. Compact Group Signatures Without Random Oracles. In Eurocrypt’06, LNCS 4004, pp. 427–444, Springer, 2006.

14

20. X. Boyen, B. Waters. Anonymous Hierarchical Identity-Based Encryption (Without Random Oracles). In Crypto’06, LNCS 4117, pp. 290–307, 2006. 21. X. Boyen, B. Waters. Full-Domain Subgroup Hiding and Constant-Size Group Signatures. In PKC’07, LNCS 4450, pp. 1–15, 2007. 22. E. Bresson, J. Stern. Efficient Revocation in Group Signatures. In PKC’01, LNCS 1992, pp. 190–206, 2001. 23. E. Brickell. An efficient protocol for anonymously providing assurance of the container of the private key. Submission to the Trusted Computing Group. April, 2003. 24. E. Brickell, J. Camenisch, L. Chen. Direct Anonymous Attestation. In ACM-CCS’04, pp. 132–145, 2004. 25. J. Camenisch, R. Chaabouni, a. shelat. Efficient Protocols for Set Membership and Range Proofs. In Asiacrypt’08, LNCS 5350, pp. 234–252, Springer, 2008. 26. J. Camenisch, M. Dubovitskaya, G. Neven, G. Zaverucha. Oblivious Transfer with Hidden Access Control Policies. In PKC’11, LNCS 6571, pp. 192–209, 2011. 27. J. Camenisch, M. Kohlweiss, C. Soriente. An Accumulator Based on Bilinear Maps and Efficient Revocation for Anonymous Credentials. In PKC’09, LNCS 5443, pp. 481–500, 2009. 28. J. Camenisch, M. Kohlweiss, C. Soriente. Solving Revocation with Efficient Update of Anonymous Credentials. In SCN’10, LNCS 6280, pp. 454–471, 2010. 29. J. Camenisch, A. Lysyanskaya. Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials. In Crypto’02, LNCS 2442, pp. 61–76, Springer, 2002. 30. R. Canetti, S. Halevi, J. Katz. A Forward-Secure Public-Key Encryption Scheme. In Eurocrypt’03, LNCS 2656, pp. 254–271, 2003. 31. J. Cathalo, B. Libert, M. Yung. Group Encryption: Non-Interactive Realization in the Standard Model. In Asiacrypt’09, LNCS 5912, pp. 179–196, 2009. 32. D. Chaum, E. van Heyst. Group Signatures. In Eurocrypt’91, LNCS 547, pp. 257–265, Springer, 1991. 33. C. Delerabl´ee, D. Pointcheval. Dynamic Fully Anonymous Short Group Signatures. In Vietcrypt’06, LNCS 4341, pp. 193–210, Springer, 2006. 34. Y. Dodis, N. Fazio. Public Key Broadcast Encryption for Stateless Receivers. In Digital Rights Management (DRM’02), LNCS 2696, pp. 61–80, 2002. 35. C.-I. Fan, R.-H. Hsu, M. Manulis. Group Signature with Constant Revocation Costs for Signers and Verifiers. In Cryptology and Network Security (CANS 2011), LNCS 7092, pp. 214–233, 2011. 36. G. Fuchsbauer. Automorphic Signatures in Bilinear Groups and an Application to Round-Optimal Blind Signatures. Cryptology ePrint Archive: Report 2009/320, 2009. 37. C. Gentry, A. Silverberg. Hierarchical ID-based cryptography. In Asiacrypt’02, LNCS 2501, Springer, 2002. 38. J. Groth. Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures. In Asiacrypt’06, LNCS 4284, pp. 444–459, Springer, 2006. 39. J. Groth. Fully anonymous group signatures without random oracles. In Asiacrypt 2007, LNCS 4833, pp. 164–180. Springer, 2007. 40. J. Groth, A. Sahai. Efficient non-interactive proof systems for bilinear groups. In Eurocrypt’08, LNCS 4965, pp. 415–432, 2008. 41. D. Halevy, A. Shamir. The LSD broadcast encryption scheme. In Crypto’02, LNCS 2442, pp. 47–60, Springer, 2002. 42. D. Hofheinz, T. Jager, E. Kiltz. Short Signatures From Weaker Assumptions. In Asiacrypt’11, LNCS series, to appear, 2011. 43. D. Hofheinz, E. Kiltz. Programmable hash functions and their applications. In Crypto’08, LNCS 5157, pp. 21–38, 2008. 44. J. Horwitz, B. Lynn. Toward hierarchical identity-based encryption. In Eurocrypt’02, LNCS 2332, Springer, 2002. 45. A. Kiayias, M. Yung. Secure scalable group signature with dynamic joins and separable authorities. International Journal of Security and Networks (IJSN) Vol. 1, No. 1/2, pp. 24–45, 2006. Earlier version appeared as Cryptology ePrint Archive: Report 2004/076, 2004. 46. A. Kiayias, M. Yung. Group signatures with efficient concurrent join. In Eurocrypt’05, LNCS 3494, pp. 198–214, 2005. 47. E. Kiltz. Chosen-ciphertext security from tag-based encryption. In TCC’06, LNCS 3876, pp. 581–600, 2006. 48. B. Libert, D. Vergnaud. Group Signatures with Verifier-Local Revocation and Backward Unlinkability in the Standard Model. In CANS’09, LNCS 5888, pp. 498-517, 2009. 49. T. Nakanishi, H. Fujii, Y. Hira, N. Funabiki. Revocable Group Signature Schemes with Constant Costs for Signing and Verifying. In PKC’09, LNCS 5443, pp. 463–480, 2009. 50. T. Nakanishi, N. Funabiki. Verifier-Local Revocation Group Signature Schemes with Backward Unlinkability from Bilinear Maps. In Asiacrypt’05, LNCS 5443, pp. 533–548, 2009. 51. M. Naor, D. Naor, J. Lotspiech. Revocation and Tracing Schemes for Stateless Receivers. In Crypto’01, LNCS 2139, pp. 41–62, 2001. 52. M. Naor. On Cryptographic Assumptions and Challenges. In Crypto’03, LNCS 2729, pp. 96–109. Springer-Verlag, 2003. 53. L. Nguyen. Accumulators from Bilinear Pairings and Applications. In CT-RSA’05, LNCS 3376, pp. 275–292, 2005. 54. L. Nguyen, R. Safavi-Naini. Efficient and Provably Secure Trapdoor-Free Group Signature Schemes from Bilinear Pairings. In Asiacrypt’04, LNCS 3329, pp. 372–386. Springer-Verlag, 2004.

15

55. D. Song. Practical forward secure group signature schemes. In ACM-CCS’01, pp. 225–234, 2001. 56. V. Shoup. Lower bounds for discrete logarithms and related problems. In Eurocrypt’97, LNCS 1233, pp. 256–66, 1997. 57. I. Teranishi, K. Sako. k-Times Anonymous Authentication with a Constant Proving Cost. In PKC’06, LNCS 3958, pp. 525–542, Springer, 2006. 58. P. Tsang, M.-Ho Au, A. Kapadia, S. Smith. Blacklistable anonymous credentials: blocking misbehaving users without TTPs. In ACM-CCS’07, pp. 72–81, 2007. 59. P. Tsang, M.-Ho Au, A. Kapadia, S. Smith. PEREA: towards practical TTP-free revocation in anonymous authentication. In ACM-CCS’08, pp. 333–344, 2008. 60. G. Tsudik, S. Xu. Accumulating Composites and Improved Group Signing. In Asiacrypt’03, LNCS 2894, pp. 269–286, 2003. 61. S. Zhou, D. Lin. Shorter Verifier-Local Revocation Group Signatures from Bilinear Maps. In CANS’06, LNCS 4301, pp. 126–143, Springer, 2006.

A

Correctness and Security Definitions for Revocable Group Signatures

In the following, a public state St is said valid if it can be reached from St = (∅, ε) by a Turing machine having oracle access to JGM . Likewise, a state St0 is said to extend another state St if it can be reached from St. Similarly to [45, 46], we will write certi Y seci to express that there exist coin tosses $ for JGM and Juser such that, for some valid public state St0 , the execution of [Juser (λ, Y), JGM (λ, St0 , Y, SGM )]($) provides Juser with hi, seci , certi i. Correctness. We say that a R-GS scheme is correct if: 1. In a valid state St, it holds that |Stusers | = |Sttrans | and no two entries of Sttrans can contain certificates with the same tag. 2. If [Juser (λ, Y), JGM (λ, St, Y, SGM )] is honestly run by both parties and hi, certi , seci i is obtained by Juser , then it holds that certi Y seci . 3. For each revocation epoch t and any hi, certi , seci i such that certi Y seci , satisfying condition 2, if i 6∈ Rt , it holds that Verify Sign(Y, t, RLt , certi , seci , M ), M, t, RLt , Y = 1. 4. For any hi, certi , seci i resulting from the interaction [Juser (., .), JGM (., St, ., .)] for some valid state St, any revocation epoch t such that i 6∈ Rt , if σ = Sign(Y, t, RLt , certi , seci , M ), then Open(M, t, RLt , σ, SOA , Y, St0 ) = i. Security Model. As in [45], we formalize security properties via experiments where the adversary interacts with a stateful interface I that maintains the following variables: - stateI : is a data structure representing the state of the interface as the adversary invokes oracles. It is initialized as stateI = (St, Y, SGM , SOA ) ← Setup(λ, N ). It comprises the (initially empty) set Stusers of group members and a database Sttrans containing transcripts of join protocols. Finally, stateI includes a counter t (which is initialized to 0) indicating the number of user revocation queries so far. - n = |Stusers | < N is the current cardinality of the group. - Sigs: is a database of signatures issued by the signing oracle. Each record is a triple (i, t, M, σ) indicating that message M was signed by user i during period t. - U a : is the set of users that are adversarially-controlled since their introduction in the system. - U b : is the set of honest users that were introduced by the adversary acting as a dishonest group manager. For such users, the adversary obtains the transcript of the join protocol but not the user’s membership secret. When mounting attacks, adversaries will be granted access to the following oracles. - Qpub , QkeyGM and QkeyOA : when these oracles are invoked, the interface looks up stateI and returns the group public key Y, the GM’s private key SGM and the opening authority’s private key SOA respectively. 16

- Qa-join : allows the adversary to introduce users under his control in the group. On behalf of the GM, the interface interacts with the malicious prospective user by running JGM in the join protocol. If the protocol successfully terminates, the interface increments N , updates St by inserting the new user n in sets Stusers and U a . It also sets Sttrans := Sttrans ||hn, transcriptn i. - Qb-join : allows the adversary, acting as a dishonest group manager, to introduce new group members of his choice. The interface starts an execution of [Juser , JGM ] and runs Juser in interaction with the JGM -executing adversary. If the protocol successfully completes, the interface increments n, adds user n to Stusers and U b and sets Sttrans := Sttrans ||hn, transcriptn i. It stores the membership certificate certn and the membership secret secn in a private part of stateI . - Qsig : given a message M , an index i, the interface checks if the private area of stateI contains a certificate certi and a membership secret seci such that i 6∈ Rt , where t is the current revocation epoch. If no such elements exist or if i 6∈ U b , it returns ⊥. Otherwise, it generates a signature σ on behalf of user i for epoch t. It also sets Sigs ← Sigs||(i, t, M, σ). - Qopen : on input of a valid pair (M, σ) for some revocation epoch t, the interface runs the opening algorithm using the current state St. When S is a set of triples (M, σ, t), Q¬S open denotes the restricted oracle that applies the opening procedure to any triple (M, σ, t) but those in S. - Qread and Qwrite : allow the adversary to read and write the content of stateI . When invoked, Qread outputs the whole stateI but the public/private keys and the private part of stateI where membership secrets are stored after Qb-join -queries. Queries Qwrite allow the adversary to modify stateI as long as it does not remove or alter elements of Stusers , Sttrans or invalidate the public state St: for example, the adversary can use it to create dummy users at will as long as it does not re-use already existing certificate tags. - Qrevoke : is a user revocation oracle. On input of an index i such that i ∈ Stusers , the interface checks if i is in the appropriate user set (i.e., U a or U b depending on the considered security notion) and if Sttrans contains a record hi, transcripti i such that i 6∈ Rt , where t is the current revocation epoch. If not, it returns ⊥. Otherwise, it increments t, adds i to Rt and generates an updated revocation list RLt which is made available to the adversary. For simplicity, we assumed that the adversary only revokes one user per query to Qrevoke but the model easily extends to allow multiple revocations at once. The KY model considers properties termed security against misidentification attacks, framing attacks and anonymity. In a misidentification attack, the adversary is allowed to corrupt the opening authority via the QkeyOA oracle. He can also introduce corrupt users in the group via Qa-join -queries and revoke users at will using Qrevoke . His goal is to produce a signature σ ? that verifies w.r.t. RLt? , where t? denotes the current revocation epoch (i.e., the number of Qrevoke -queries). It wins if the produced signature σ ? does not open to any unrevoked adversarially-controlled. Definition 4. A R-GS scheme is secure against misidentification attacks if, for any PPT adversary A involved in the experiment hereafter, we have Advmis-id (λ) = Pr[Exptmis-id (λ) = 1] ∈ negl(λ). A A Experiment Exptmis-id (λ) A stateI = (St, Y, SGM , SOA ) ← Setup(λ, N ); (M ? , σ ? ) ← A(Qpub , Qa-join , Qrevoke , Qread , QkeyOA ); If Verify(σ ? , M, t? , RLt? , Y) = 0 return 0; i = Open(M ? , t? , RLt? , σ ? , SOA , Y, St0 ); If (i 6∈ U a \Rt? ) return 1; Return 0; This definition extends the usual definition [45] in that A is also successful if σ ? verifies w.r.t. RLt? but opens to an adversarially-controlled user that was revoked during the revocation epoch t? . 17

Framing attacks consider the situation where the whole system, including the group manager and the opening authority, conspires against some honest user. The adversary is allowed to corrupt the group manager and the opening authority (using QkeyGM and QkeyOA , respectively). He can also introduce honest group members (via Qb-join -queries), observe the system while these users generate signatures and create dummy users using Qwrite . In addition, before the possible corruption of the group manager, the adversary can revoke group members at any time by invoking the Qrevoke oracle. As a potentially corrupted group manager, A is allowed to come up with his own revocation list RLt? at the end of the game. We assume that anyone can publicly verify that RLt? is correctly formed (i.e., that it could be a legitimate output of Revoke) so that the adversary does not come up with an ill-formed revocation list. For consistency, if A chooses not to corrupt the GM, the produced revocation list RLt? must be the one determined by the history of Qrevoke -queries. The adversary eventually aims at framing an uncorrupt group member. Definition 5. A R-GS scheme is secure against framing attacks if, for any PPT adversary A, it holds fra that Advfra A (λ) = Pr[ExptA (λ) = 1] ∈ negl(λ). Experiment Exptfra A (λ) stateI = (St, Y, SGM , SOA ) ← Setup(λ, N ); (M ? , σ ? , t? , RLt? ) ← A(Qpub , QkeyGM , QkeyOA , Qb-join , Qrevoke , Qsig , Qread , Qwrite ); If Verify(σ ? , M ? , t? , RLt? , Y) = 0 then return 0; i = Open(M ? , t? , RLt? , σ ? , SOA , Y, St0 ); b If i 6∈ V U return 0; ? ? If j∈U b s.t. j=i (j, t , M , ∗) 6∈ Sigs then return 1; Return 0; Anonymity is defined via a game involving a 2-stage adversary. In the first stage, called play stage, the adversary is allowed to modify stateI by making Qwrite -queries and to open signatures of his choice by invoking Qopen . At the end of the play stage, it chooses a message-period pair (M ? , t? ) and two pairs (sec?0 , cert?0 ), (sec?1 , cert?1 ), consisting of a well-formed membership certificate and a membership secret for R b = 0, 1. The challenger flips a fair binary coin d ← {0, 1} and generates a signature σ ? using (sec?d , cert?d ). The adversary aims to eventually determine the bit d. Of course, it is restricted not to query the opening of (M ? , σ ? ) during the guess stage. Definition 6. A R-GS scheme is fully anonymous if Advanon (A) := |Pr[Exptanon A (λ) = 1] − 1/2| is negligible for any PPT adversary A involved in the following experiment: Experiment Exptanon A (λ) stateI = (St, Y, SGM , SOA ) ← Setup(λ); aux, M ? , t? , RLt? , (sec?0 , cert?0 ), (sec?1 , cert?1 ) ← A(play : Qpub , QkeyGM , Qrevoke , Qopen , Qread , Qwrite ); If ¬(certb Y secb ) for b ∈ {0, 1} or if cert0 = cert1 return 0; R d← {0, 1}; σ ? ← Sign(Y, t? , cert?d , sec?d , M ? ); ¬{(M ? ,σ ? ,t? )} , Qread , Qwrite ); d0 ← A(guess : σ ? , aux, Qpub , QkeyGM , Qopen If d0 = d then return 1; Return 0;

B

Hierarchical Identity-Based Encryption

Consider a hierarchy of entities, each of which has a unique address ID = (I1 , . . . , I` ), with Ii ∈ {0, 1}∗ for 1 ≤ i ≤ `, at level `. For any i ≤ `, ID|i denotes the prefix (I1 , . . . , Ii ) of ID. The address of a node at level i is obtained by appending its local identifier Ii to its father’s address ID|i−1 . 18

A HIBE scheme [44, 37] is a tuple (Setup, Keygen, Derive, Encrypt, Decrypt) of algorithms5 working as follows. Setup is run by a trusted private key generator (PKG) to generate a master public key mpk and a master secret key msk. The latter is used by the PKG, at the root of the hierarchy, to derive private keys from users’ identities at level 1. The key generation algorithm Keygen takes as input the master secret key msk and a hierarchical identity ID = (I1 , . . . , Ik ) and returns a private key dID for that identity. Algorithm Derive is used by a `-th level entity with address ID = (I1 , . . . , I` ) to compute private keys for its children labeled as (I1 , . . . , I` , ∗) at depth ` + 1. It takes in a `-th level private key dID and a vector ID0 = (I1 , . . . , I` , I`+1 ), where ID0 |` = ID, to generate a (` + 1)-th level secret key dID0 . Algorithm Encrypt takes in a plaintext m ∈ M, where M denotes the plaintext space, the master public key mpk and the receiver’s address ID = (I1 , . . . , I` ) to produce a ciphertext C that can be undone by the receiver having obtained dID from its father. In many HIBE constructions (such as [15, 20]) delegated private keys (produced by Derive) have the same distribution as original keys (generated by Keygen). In the upcoming security definitions, we assume that this property is satisfied by the considered HIBE system. In the following, we say that a HIBE scheme is key-partitioned if private keys dID = (DID , KID ) consist of two distinct part: the first one DID is called decryption component and it is only used to decrypt messages; the second part KID is called delegation component and its sole purpose is to derive private keys for children nodes. Many HIBE systems in the literature (e.g., [15, 20]) are key-partitioned. B.1

Security Definitions for HIBE

The standard security notion [37] captures that any coalition of hierarchy entities that are not ancestors of some user should be unable to gain information on messages encrypted for that user. In [30], Canetti, Halevi and Katz suggested a weaker security notion, called selective security, where the adversary has to choose its target identity upfront. Definition 7. [30] A HIBE system with ` levels is selectively secure (or IND-sID-CPA secure) if no PPT adversary A has non-negligible advantage in this game: 1. The adversary A chooses a target identity ID? = (I1? , . . . , I`?? ) at depth `? < `, for some `? of its choice. The challenger runs (mpk, msk) ← Setup(λ) and hands mpk to A. 2. A issues a number of key extraction queries under the rule that no prefix of ID? can be the input of a key extraction query. On input of an identity ID = (I1 , . . . , Ik ), with k ≤ `, the challenger responds with dID ← Keygen(msk, ID). 3. When A decides that the first phase is over, it chooses messages m0 , m1 . The challenger flips a coin R d← {0, 1} and responds with a challenge C ? = Encrypt(mpk, ID? , md ). 4. A issues new queries but cannot ask for the private key of a prefix of ID? . 5. A finally outputs a bit d0 ∈ {0, 1} and wins if d0 = d. As usual, A’s advantage is quantified as the distance Advhibe (A) := |Pr[d0 = d] − 1/2|. For our purposes, we need a different and non-standard form of selective security, which mandates that the adversary be unable to maul a private key that it obtained for some target identity ID† even knowing the master secret key. By “mauling”, we mean computing a private key for a different identity ID0 6= ID† but under the same randomness as the received key dID† . Definition 8. A key-partitioned HIBE system with ` levels is said selectively key-robust if no PPT adversary A has non-negligible advantage in the following game: 5

We use the syntax of [20] which involves an explicit delegation algorithm Derive. Although this algorithm is not explicitly written in [15], it exists as noted in appendix B.2.

19

1. The adversary A chooses an identity ID† = (I1† , . . . , I`†† ) that it wishes to be challenged upon at the depth `† < ` of its choice. The challenger runs (mpk, msk) ← Setup(λ) and hands (msk, mpk) to A along with a challenge consisting of a private key dID† for the identity ID† . 2. A outputs an identity ID0 such that ID† is not a prefix6 of ID0 and a decryption component DID0 (i.e., a private key without delegation component). The adversary wins if: (i) DID0 is a valid decryption component for ID0 ; (ii) DID0 and dID† correspond to the same randomness of the key generation algorithm. In Definition 8, we insist that A is given a full private key for the target identity ID† but it only has to output a valid decryption component DID0 for ID0 . It is also worth insisting that, for the application of this paper, a selective flavor of key-robustness suffices. Indeed, since the number of group members is always polynomial, the target identity ID† can be guessed upfront with non-negligible probability in the proof of Lemma 2 (in appendix C). B.2

The Boneh-Boyen-Goh HIBE

In [15], Boneh, Boyen and Goh (BBG) described the first HIBE scheme where the size of ciphertext does not depend on the depth of the receiver in the hierarchy. The construction bears resemblance with the first selectively secure IBE scheme of Boneh and Boyen [14], which can be seen as a single-level variant of the BBG HIBE. The latter works as follows. Setup(λ, `): given a security parameter λ ∈ N and the number of levels ` ∈ N in the hierarchy, choose R R G and bilinear groups (G, GT ) of prime order p, where p > 2λ . Choose α ← Zp , g, g2 , h0 , h1 , . . . , h` ← α compute g1 = g . The master public key is defined to be mpk BBG := (G, GT ), g, g1 , g2 , {hi }`i=0 while the master secret key consists of msk BBG := g2α . The space of hierarchical identities is I = (Z∗p )≤` . Keygen msk BBG , ID = (I1 , . . . , Ik ) : to generate a private key for ID = (I1 , . . . , Ik ) ∈ (Z∗p )k at level k using R mskBBG = g2α , choose r ← Zp . Then, compute and return k Y r dID = (D1 , D2 , Kk+1 , . . . , K` ) = g2α · h0 · hIi i , g r , hrk+1 , . . . , hr` ∈ G`−k+2 .

(10)

i=1

Derive dID , ID0 = (I1 , . . . , Ik , Ik+1 ) : given a private key dID of the form (10) for the hierarchical identity ID = (I1 , . . . , Ik ), it is easy to derive a key for the identity ID0 = (I1 , . . . , Ik , Ik+1 ) ∈ (Z∗p )k+1 by choosing R r0 ← Zp and computing

0 , . . . , K`0 ) dID0 = (D10 , D20 , Kk+2 k+1 Y I r 0 0 0 0 Ik+1 = D1 · Kd+1 · h0 · hi i , D2 · g r , Kk+2 · hrk+2 , . . . , K` · hr` i=1

=

g2α

· h0 ·

k+1 Y

hIi i

r00

00

00

, g r , hrk+2 , . . . , hr`

00

i=1

where r00 = r + r0 . 6

We assume that hierarchical identities are prefixes of themselves for simplicity.

20

∈ G`−k+1 ,

(11)

R Encrypt(mpk BBG , ID = (I1 , . . . , Id ), M ): to encrypt M ∈ G under ID = (I1 , . . . , Id ) ∈ (Z∗p )d , choose s ← Zp and compute

C0 = M · e(g1 , g2 )s ,

C1 = g s ,

C2 = h0 · hI11 · · · hIdd

s

The ciphertext is C = C0 , C1 , C2 . Decrypt(mpk BBG , dID , C): parse dID as (D1 , D2 , Kd+1 , . . . , K` ) ∈ G`−d+2 and the ciphertext C as C0 , C1 , C2 . Then, compute and output M = C0 · e(C1 , D1 )−1 · e(C2 , D2 ). It is easy to see that this construction is key-partitioned since the private key can be divided into (DID , KID ), where DID = (D1 , D2 ) ∈ G2 is only used to decrypt and KID = (Kk+1 , . . . , K` ) ∈ G`−k+2 is only useful for delegations. When the private key for ID0 is derived from the private key for ID, the randomizer r0 ∈ Zp in (11) allows making sure that derived private keys are indistinguishable from original keys that are generated directly at level k + 1. In our application, we will require that key be derived without any randomization. Namely, a private key for ID0 is always derived as per Ik+1 0 , D2 , Kk+2 , . . . , K` , . . . , K`0 ) = D1 · Kd+1 dID0 = (D10 , D20 , Kk+2 k+1 Y I r = g2α · h0 · hi i , g r , hrk+2 , . . . , hr` ∈ G`−k+1 . i=1

For this reason, a private key and its descendants will always share the same component D2 . However, it does not affect the security of the group signature since, in the join protocol, users are always given freshly generated HIBE private keys. The following lemma demonstrates that the BBG HIBE is selectively key-robust under the DiffieHellman assumption. The proof implicitly relies on the fact (implicitly noted in [43, 42]) that BLS-type signatures [17] can be proved secure in the standard model when the number of signing queries is bounded by a small constant (such as one here since the one-time public key g r is used as a one-time public key). Lemma 1. The BBG HIBE scheme is selectively key-robust assuming that the CDH assumption holds in G. More precisely, a selective key-robustness adversary A with advantage ε implies an algorithm B solving the CDH problem with advantage ε · (1 − 1/p). Proof. Towards a contradiction, let us assume that a selective adversary A has non-negligible advantage in the game of Definition 8. We show that A allows breaking the CDH assumption. Algorithm B receives as input a CDH instance (g, g a , g b ) ∈ G3 and undertakes to compute g ab . At † the beginning of its interaction with A, the latter chooses a target identity ID† = (I1† , . . . , I`†† ) ∈ (Z∗p )` at the depth `† ≤ ` of its choice. Then, B generates the master key pair (mskBBG , mpkBBG ) by choosing R R R α← Zp , g2 ← G and setting g1 = g α as in the normal setup algorithm. Then, it picks γ1 , . . . , γ`† ← Zp , R δ0 , . . . , δ ` ← Zp and defines h0 = g δ0 · (g b )−

P`†

i=1

γi Ii†

hi = g δi · (g b )γi

for i = 1, . . . , `†

hi = g δi

for i = `† + 1, . . . , `. 21

To generate a private key dID† = (D1 , D2 , K`† +1 , . . . , K` ) for the target identity ID† , B sets D1 = g2α · (g a )δ0 +

P`†

† i=1 δi Ii

D2 = g a for i = `† + 1, . . . , `,

Ki = (g a )δi

which form a valid private key for the random exponent r = a. The adversary A is given (mpkBBG , mskBBG = g2α ) and the private key dID† . Its goal will be to produce a valid decryption component DID0 = (D10 , D20 ) corresponding to an identity ID0 = (I10 , . . . , Ik0 ) ∈ (Z∗p )k , for some k ∈ {1, . . . , `}, that ID† is not a prefix of. In addition, DID0 should correspond to the same random exponent r = a as dID† (in other words, D10 = D2 = g a ). When A outputs its result (ID0 , DID0 ), we distinguish the following situations. • If k ≤ `† , we have h0 ·

k Y

I0

Pk

0 i=1 δi Ii

hi i = g δ0 +

Pk

· (g b )

i=1

γi ·(Ii0 −Ii† )−

P`†

i=k+1

γi Ii†

(12)

i=1

and, with overwhelming probability 1 − 1/p, it holds that k X

†

γi ·

(Ii0

−

Ii† )

−

i=1

` X

γi Ii† 6= 0.

(13)

i=k+1 †

Indeed, the vector ~γ = (γ1 , . . . , γ`† ) is chosen uniformly in Z`p and it is independent of A’s view. - If k = `† , we must have Ii0 6= Ii† for at least one i ∈ {1, . . . , `† }. Since the coordinates of ~γ are P† independent and uniformly distributed, the probability to have `i=1 γi · (Ii0 − Ii† ) = 0 is at most 1/p since we are bounding the probability of a random vector ~γ to be orthogonal to a given non-zero † vector of Z`p . - If k < `† , we may have Ii0 = Ii† for each i ∈ {1, . . . , k} (i.e., ID0 may be a prefix of ID† ). In this P† situation, the probability to have `i=k+1 γi Ii† = 0 is also 1/p since (γk+1 , . . . , γ`† ) is independent of † , . . . , I`†† are always non-zero. Finally, if ID0 is not a prefix of ID† , there A’s view and identities Ik+1 exists i ∈ {1, . . . , k} such that Ii0 6= Ii† . Then, the same argument as in previous cases applies. Q I0 Since A presumably outputs a decryption component DID0 = (D1 , D2 ) = g2α · (h0 · ki=1 hi i )a , g a with non-negligible probability ε, B can compute g

ab

=

† 1/(Pki=1 γi ·(Ii0 −Ii† )−P`i=k+1 γi Ii† )

D1

g2α · (g a )δ0 +

Pk

0 i=1 δi Ii

with probability ε · (1 − 1/p). • If k > `† , there exists i ∈ {1, . . . , `† } such that Ii0 6= Ii† since ID† cannot be a prefix of ID0 . In this case, we can write h0 ·

k Y

I0

Pk

hi i = g δ0 +

0 i=1 δi Ii

P`†

· (g b )

i=1

γi ·(Ii0 −Ii† )

i=1

P`†

where i=1 γi · (Ii0 − Ii† ) 6= 0 with probability at least 1 − 1/p. Then, the CDH solution g ab can be found in the same way as in the case k ≤ `† . t u 22

C

Deferred Lemma for the Security against Misidentification Attacks

Lemma 2. The advantage of any Type II.b forger A is at most 1 2 Advmis-id-II.b (λ) ≤ 4 · N · 1 − · AdvCDH (λ) A p where N denotes the maximal number of users. Proof. At the beginning of its interaction with its challenger, our selective key-robustness adversary B chooses a random node xj ∈ T and a random descendant x0j of xj (alternatively, B can more simply choose two distinct random nodes in the tree and, with some probability, x0j will be in the subtree rooted at xj ). Since x0j is a descendant of xj , its label hx0j i can be written hx0j i = hxj i||w`1 . . . w`2 , for some integers `1 , `2 ∈ {1, . . . , `} and where wi ∈ {0, 1} for each i ∈ {`1 , . . . , `2 }. Then, B declares ID† = (H(hxj i), H(w`1 ), . . . , H(w`2 )) as its target identity at level `2 − `1 + 2. The key-robustness challenger replies by returning a master key pair (mskBBG , mpkBBG ) consisting of mpkBBG = (G, GT ), g, g1 = g α , g2 , {hi }`i=0 , mskBBG = g2α together with a private key dID† = (D1† , D2† , K`†2 −`1 +3 , . . . , K`† ) for the identity ID† . Then, B uses mpkBBG to construct the group public key Y and generates all other public key elements (0) (1) (including pkAHO and pkAHO ) according to the specification of the setup algorithm. In particular, B retains (0) (1) the group manager’s secret key SGM = (skAHO , skAHO ) and uses it to answer Qa-join -queries. At each Qa-join -query, B executes the join protocol on behalf of JGM and proceeds exactly as the real JGM does (recall that it knows SGM and can thus perfectly simulate JGM ) with one exception. Namely, when executing step b.1 of Join, if the private key Dw has to be computed for the target identity ID† , B uses the private key dID† that it received from its challenger to compute (Dw,1 , Dw,2 , Kw,`2 −`1 +3 , . . . , Kw,` ) = D1† /g2α , D2† , K`†2 −`1 +3 , . . . , K`† . As for Qpub , Qrevoke , Qread and QOA -queries, B simply answers them as the real oracles would. If the game terminates and B did not have to compute a private key for ID† at some Qa-join -query, then B halts and reports failure since it must have guessed the wrong tree nodes xj and x0j . Otherwise (i.e., if dID† was used to compute part of a membership certificate), we know that A’s forgery σ ? will contain a committed HIBE private key (D1? , D2? ) and a committed value X ? such that (X ? , D2? ) is one of the pairs that were signed by B during some Qa-join -query. Moreover, the pair (X ? , D2? ) was associated with some HIBE private key dID = (D1 , D2? , K`2 −`1 +3 , . . . , K` ) for a certain hierarchical identity ID at step b.1 of Join. Since that identity is entirely defined by two nodes at the extremities of a path in the tree T, these two nodes happen to be xj and x0j – so that ID = ID† – with non-negligible probability 1/(2N − 1)2 > 1/4N 2 . Therefore, with probability at least 1/4N 2 , the value D2? is precisely the element D2† of the challenge private key dID† sent by the key-robustness challenger. Also, we note that dID and (D1? , D2? ) necessarily correspond to distinct identities as the signature σ ? would not trace to a revoked user otherwise. If the desirable event ID = ID† comes about, this implies that either: - (D1? , D2? ) = (D1† , D2† ), which means that dID† and (D1? , D2? ) correspond to distinct hierarchical identities ID† = (I1 , . . . , I`2 −`1 +2 ) and (I10 , . . . , Ik ), with k ∈ {1, . . . , `}, such that h0 ·

`2 −` 1 +2 Y

0

hIi i

i=1

= h0 ·

k Y

I0

hi i .

i=1

Such a collision is known (as shown in [43][Section 1.2], for example) to occur with negligible probability under the discrete logarithm assumption. 23

- D2? = D2† and D1? 6= D1† , in which case B wins the selective key-robustness game. It does so by outputting the decryption component (g2α ·D1? , D2? ) – after having extracted (D1? , D2? ) from {com?Di }2i=1 using (β1 , β2 ) – and the identity ID0 corresponding to the HIBE ciphertext Cl? of the revocation list. Indeed, if B correctly guessed xj and x0j , ID0 cannot be a descendant of ID† as long as σ ? opens to a revoked user in U a ∩ Rt? . Since the probability to have ID = ID† is at least 1/4N 2 and due to the multiplicative factor (1 − 1/p) in the statement of Lemma 1, the announced result follows. t u

D D.1

Security against Framing Attacks and Anonymity Framing Attacks

Theorem 2 (Non-frameability). The scheme is secure against framing attacks assuming that: (i) the qb -SDH assumption holds in G, where qb is the maximal number of Qb-join -queries; (ii) Σ is a strongly unforgeable one-time signature. Proof. As in [39], we consider two kinds of framing attacks that can be possibly mounted by a nonframeability adversary A. ? - Type I attacks: the adversary A generates a forgery σ ? = VK? , Ψ1? , Ψ2? , Ψ3? , Ψ4? , Ψ5? , Ω ? , com? , Π? , σots for which the one-time verification key VK? was used by some honest group member i ∈ U b when answering a Qsig -query. ? - Type II attacks: A outputs a forgery σ ? = VK? , Ψ1? , Ψ2? , Ψ3? , Ψ4? , Ψ5? , Ω ? , com? , Π? , σots for which the one-time verification key VK? was never used by Qsig to answer a signing query on behalf of an honest user i ∈ U b . It is immediate that Type I attacks imply a breach in the unforgeability of the one-time signature. Lemma 3 shows that no PPT adversary can produce a Type II forgery as long as the Strong Diffie-Hellman assumption holds. t u Lemma 3. The scheme is secure against framing attacks of Type II if the qs -SDH problem is hard. More precisely, the advantage of any adversary after qs Qsig -queries and qb Qb-join -queries is at most Advfra-II (λ) ≤ qb · Advqs -SDH (λ). Proof. By hypothesis, the adversary A comes up with a forgery (M ? , σ ? ) that opens to some honest user i ∈ U b and that did not issue a signature containing the verification key VK? . The same proof as in [39] shows that the Strong Diffie-Hellman assumption can be broken. qs Given a problem instance (˜ g , g˜a , . . . , g˜(a ) ) ∈ Gqs +1 , the simulator B generates qs one-time signature keys pairs (SKi , VKi ) ← G(λ) for i = 1 to qs . Then, using standard techniques (see [13][Lemma 3.2]) it builds a generator g and a randomly distributed public value X † = g a – which implicitly defines x† = logg (X † ) = a s – such that it knows {(g 1/(a+VKi ) , VKi )}qi=1 . (b) (b) Next, using the newly generated g, B generates key pairs {(skAHO , pkAHO )}b=0,1 for the AHO signature (b) (0) (1) (note that group elements of {pkAHO }b=0,1 are computed as powers of g) and uses pkAHO , pkAHO to form the group public key (0) (1) Y = g, pkAHO , pkAHO , mpkBBG , f , U, V, H, Σ . In the latter, the Groth-Sahai CRS f = (f~1 , f~2 , f~3 ) is prepared for the perfect soundness setting, i.e., with ξ1 ξ2 R f~1 = (f1 = g β1 , 1, g), f~2 = (1, f2 = g β2 , g) and f~3 = f~1 f~2 , where ξ1 , ξ2 ← Z∗p . Should the adversary A decide to corrupt the group manager or the opening authority during the game, (0) (1) B has SGM = (skAHO , skAHO ) and SOA = (β1 , β2 ) = (logg (f1 ), logg (f2 )) at its disposal. At the beginning of R the game, B picks a random index j ? ← {1, . . . , qb } and interacts with A as follows. 24

(0)

(1)

- QkeyGM -queries: if A decides to corrupt the group manager, B surrenders SGM = (skAHO , skAHO ). - Qb-join -queries: when A, acting as a rogue group manager, requests the introduction of a new honest user i in the group, B starts interacting with A in an execution of Join and runs Juser on behalf of the prospective user. Namely, B’s behavior depends on the index j ∈ {1, . . . , qb } of the Qb-join -query. - If j 6= j ? , B follows exactly the specification of Juser . - If j = j ? , B sends the value X † to JGM at step 1 of Join. This implicitly defines user j ? ’s membership secret to be the unknown exponent secj ? = a of the SDH instance. In subsequent steps of the join protocol, B proceeds as the real Juser would. When Join terminates, B obtains a membership certificate certj ? = hvj i, {{dw , σw }w∈copathx }`j=0 , X † . j - Qpub -queries: can be treated as in the real game, by having the simulator return Y. - Qsig -queries: when A asks user i ∈ U b to sign a message M , the simulator B can answer the query by running the real signature generation algorithm if i 6= j ? . Otherwise (namely, if i = j ? ), B uses s the next available pair {(g 1/(a+VKi ) , VKi )}qi=1 to define σVKi . It also recalls the membership certificate ` † ? certj = hvj i, {{dw , σw }w∈copathx }j=0 , X that it obtained from the JGM -executing adversary at the j j ? -th Qb-join -query. It is easy to see that, using σVKi and certj ? , it can easily generate all signature components and sign them all using SKi . ? , for some message M ? , Finally, A outputs a signature σ ? = VK? , Ψ1? , Ψ2? , Ψ3? , Ψ4? , Ψ5? , Ω ? , com? , Π? , σots that opens to some user i? ∈ U b who did not sign M ? . At this point, B halts and declares failure if it turns out that X † 6= Ψ3? · Ψ1? −1/β1 · Ψ2? −1/β2 since, in this case, it was unfortunate when drawing the random index j ? . Still, with probability 1/qb , the signature σ ? opens to the user introduced at the j ? -th Qb-join -query and (Ψ1? , Ψ2? , Ψ3? ) does decrypt to X ? . In this situation, the perfect soundness of the proof system ensures that ? ? † VK? ) = e(g, g). Since σ ? is a Type com?σVK? is a commitment to a group element σVK ? such that e(σ VK? , X · g II forgery, B can use β1 , β2 to compute a BBS decryption of com?σVK? and obtain a solution (σVK? , VK? ) to the qb -SDH instance. t u D.2

Anonymity

As for the anonymity property, it naturally relies on the DLIN assumption. The proof is essentially identical to that of Lemma 5 in [39] but we give it for completeness. Theorem 3 (Anonymity). The advantage of any anonymity adversary is at most Advanon (A) ≤ Advots (λ) + 3 · AdvDLIN (λ), where the first term is A’s probability of breaking the strong unforgeability of the one-time signature. Proof. We consider a sequence of games at the end of which even an unbounded adversary has no advantage. In Game i, we call Si the event that A wins and define Advi = |Pr[Si ] − 1/2|. Game 1: is the experiment of definition 6. In the play stage, the adversary A can obtain the group (0) (1) public key Y, the group manager’s private key SGM = (skAHO , skAHO ). It can also ask for the opening of any group signature and read/write the content of stateI . When it decides to enter the challenge phase, it outputs a message M ? , a period index t? and two membership certificate/secret (cert?0 , sec?0 ) and (cert?1 , sec?1 ) R such that cert?b Y sec?b for b = 0, 1. The simulator B flips a fair coin d ← {0, 1} and computes σ ? ← Sign(Y, t? , RLt? , cert?d , sec?d , M ? ), where t? is determined by the history of Qrevoke -queries. The signature σ ? is given as a challenge to A who has to guess d ∈ {0, 1} after another series of queries (under the natural restriction of not querying the opening of σ ? ). We have Adv1 = Advanon (A). Game 2: is as Game 1 but B halts if A queries the opening of a signature σ containing the same one-time verification key VK? as in the challenge phase (we assume w.l.o.g. that (SK? , VK? ) is generated at the 25

outset of the game). If such a query is made before the challenge phase, it means that A was able to forge a one-time signature even without having seen a signature. If the query occurs after the challenge phase, then the strong unforgeability of Σ is broken. We can thus write |Pr[S2 ] − Pr[S1 ]| ≤ Advots (λ). Game 3: we change the generation of Y so as to answer Qopen -queries without using the secret exponents ? R β1 , β2 ∈ Zp that define SOA . To this end, B chooses αu , αv ← Z∗p , and defines U = g −VK · f1αu , and ? V = g −VK · f2αv . It is not hard to see (see [47] for details) that, for any Qopen -query containing a BBS encryption (Ψ1 , Ψ2 , Ψ3 ) = (f1z1 , f2z2 , X ·g z1 +z2 ), the values (Ψ4 , Ψ5 ) reveal g z1 and g z2 (and thus the encrypted X) since VK 6= VK? unless the event introduced in Game 2 occurs. To generate the challenge signature σ ? at epoch t? , B first computes (Ψ1? , Ψ2? , Ψ3? ) and then (Ψ4? , Ψ5? ) = (Ψ1? αu , Ψ2? αv ). It sets the challenge signature ? ). It can be checked that the distributions of Y and to be σ ? = (VK? , Ψ1? , Ψ2? , Ψ3? , Ψ4? , Ψ5? , Ω ? , com? , Π? , σots ? σ are unchanged and we have Pr[S3 ] = Pr[S2 ]. Game 4: in the setup phase, we generate the CRS f = (f~1 , f~2 , f~3 ) of the proof system for the perfect ξ2 ξ1 ξ2 ξ1 WI setting. We choose f~3 = f~1 f~2 (1, 1, g)−1 instead of f~3 = f~1 f~2 so that f~1 , f~2 and f~3 are linearly independent. Any significant change in A’s behavior yields a distinguisher for the DLIN problem and we can write |Pr[S4 ] − Pr[S3 ]| = 2 · AdvDLIN (B). As noted in [40], proofs in the WI setting reveal no information on which witnesses they were generated from.

Game 5: we modify the generation of the challenge σ ? and use the trapdoor of the CRS (i.e., ξ1 , ξ2 s.t. ξ2 ξ1 ϕ ~ = f~1 f~2 ) to simulate proofs {πeq-com,j }3 that (Ψ ? , Ψ ? , Ψ ? ) and comX encrypt of the same value. It 1

j=1

2

3

is known [40] that linear multi-exponentiation equations always have perfectly NIZK proofs on a simulated CRS. For, any satisfiable relation, (ξ1 , ξ2 ) allows generating proofs without using the witnesses τ1 , τ2 , τ3 for which (9) holds and simulated proofs are perfectly indistinguishable from real ones. Hence, Pr[S5 ] = Pr[S4 ]. Game 6: in the computation of Ψ3? , we now replace g z1 +z2 by a random group element in the challenge σ ? . Since B does not explicitly use z1 = logf1 (Ψ1? ), z2 = logf2 (Ψ2? ), any change in A’s behavior yields a distinguisher for the DLIN problem and |Pr[S6 ]−Pr[S5 ]| ≤ AdvDLIN (B). In Game 6, we have Pr[S6 ] = 1/2. Indeed, when we consider the challenge σ ? , Groth-Sahai commitments are all perfectly hiding in the WI setting and proofs Π reveal nothing about the underlying witnesses (in particular, NIZK proofs {πeq-com,j }3j=1 are generated without using them) and (Ψ1? , Ψ2? , Ψ3? ) perfectly hides X ? . Finally, randomized signature 0 ? , θ0 ? } components Ω ? = {Θl,i l,i i∈{3,4,6,7} are information-theoretically independent of the corresponding messages and the remaining components of AHO signatures Θl? and θl? . When combining the above, A’s advantage can be bounded by Advanon (A) ≤ Advots (λ)+3·AdvDLIN (λ) as stated by the theorem. t u

E

A Construction Based on the Complete Subtree Method

The following construction uses the public-key variant (suggested in [51, 34]) of the CS method, which does not require a hierarchical IBE: a single-level selectively secure IBE scheme such as the one described by Boneh and Boyen [14] suffices. As in our construction based on the SD method, we do not need to use the master secret key of the IBE system. In the upcoming description, the main difference with the scheme of section 3 is the way to distribute IBE private keys in the join protocol. Other algorithms are essentially unchanged. As in section 3, the number of users is assumed to be N = 2` so that each group member is assigned to a leaf of the tree. Again, each node is assigned a unique identifier. For simplicity, we define the identifier ID(x) ∈ {1, . . . , 2N − 1} of node x to be ID(x) = 2 · ID(parent(x)) + b, where parent(x) denotes x’s father in the tree and b = 0 (resp. b = 1) if x is the left (resp. right) child of its father. The root of the tree is assigned the identifier ID = 1.

26

Setup(λ, N ): given a security parameter λ ∈ N and the permitted number of users N = 2` , R 1. Choose bilinear groups (G, GT ) of prime order p > 2λ , with a generator g ← G. (0) (0) (1) (1) 2. Generate two key pairs (skAHO , pkAHO ) and (skAHO , pkAHO ) for the AHO signature in order to sign messages of two group elements. These key pairs consist of

(d) (d) (d) (d) γi δi (d) (d) (d) (d) (d) γz (d) δz 2 (d) (d) pkAHO = G(d) , H , G = G , H = H , {G = G , H = H } , A , B r r r r z r z r i=1 i i (d) (d) (d) (d) (d) (d) (d) and skAHO = αa , αb , γz , δz , {γi , δi }2i=1 , where d ∈ {0, 1}. 3. As a CRS for the NIWI proof system, select vectors f = (f~1 , f~2 , f~3 ) s.t. f~1 = (f1 , 1, g) ∈ G3 , ξ2 ξ1 R R G and β1 , β2 , ξ1 , ξ2 ← Z∗ . f~2 = (1, f2 , g) ∈ G3 , and f~3 = f~1 · f~2 , with f1 = g β1 , f2 = g β2 ← p

R 4. Choose (U, V ) ← G2 that, together with f1 , f2 , g, will form a public key for an IND-CCA2 cryptosystem. 5. Generate a master public key mpkBB for the Boneh-Boyen IBE. Such a public key consists of mpkBB = h0 , h1 and, again, no master secret key is needed. 6. Select a strongly unforgeable one-time signature Σ = (G, S, V). (0) (1) 7. Set SGM := skAHO , skAHO , SOA := β1 , β2 as authorities’ private keys and define the group public key to be (0) (1) Y := g, pkAHO , pkAHO , mpkBB , f , (U, V ), Σ .

Join(GM,Ui ) : the group manager and the prospective user Ui carry out the following interactive protocol [Juser (λ, Y), JGM (λ, St, Y, SGM )]: R 1. Juser (λ, Y) chooses x ← Zp and computes X = g x which is sent to JGM (λ, St, Y, SGM ). If the value X already appears in some entry transcriptj of the database Sttrans , JGM aborts and returns ⊥ to Juser . 2. JGM assigns to Ui an available leaf vi of the tree T and we let ID(vi ) be the identifier of vi . Let x0 = , x1 , . . . , x`−1 , x` = vi be the path connecting the leaf vi to the root of T. For j = 0 to `, JGM conducts the following steps. r ID(x ) a. Compute an IBE private key Dxj = (Dxj ,1 , Dxj ,2 ) = h0 j · h1 xj , g rxj using a randomly R chosen rxj ← Zp . b. Generate an AHO signature σxj = (θxj ,1 , . . . , θxj ,7 ) on the pair X, Dxj ,2 ∈ G2 so as to bind the node xj and the value X that identifies Ui .

3. JGM sends the IBE private keys {Dxj }`j=0 to Juser that verifies their validity. If all keys are well formed, Juser acknowledges these values by generating a digital signature sigi = Signusk[i] X||{Dxj }`j=0 and sends it back to JGM . 4. JGM checks that Verifyupk[i] X||{Dxj }`j=0 , sigi = 1. If not JGM aborts. Otherwise, JGM sends the AHO signatures {σxj }`j=0 to Juser and stores transcripti = (X, {Dxj , σxj }`j=0 , sigi ) in Sttrans . 5. Juser defines the membership certificate certi as certi = hvi i, {Dxj , σxj }`j=0 , X . The membership secret seci is defined to be seci = x. Revoke(Y, SGM , t, Rt ): (0)

(1)

1. Parse SGM as SGM = (skAHO , skAHO ). 2. Using the CS covering algorithm, find a cover of the unrevoked user set {1, . . . , N }\Rt as the union of m sub-trees S1 , . . . , Sm , with m ≤ r · log(N/r). Let u1 , . . . , um be the roots of these sub-trees 27

3. For i = 1 to m, do the following. ID(ui )

a. Compute an IBE ciphertext Ci = h0

· h1 for the identity ID(ui ). (1)

b. To authenticate Ci and bind it to the current revocation epoch t, use skAHO to generate an AHO signature Θi = (Θi,1 , . . . , Θi,7 ) ∈ G7 on the pair (Ci , g t ) ∈ G2 , where the epoch number t is interpreted as an element of Zp . Return the revocation data RLt which is defined to be RLt = t, Rt , {ID(ui ), (Ci , Θi )}m i=1

(14)

Sign(Y, t, RKt , certi , seci , M ): return ⊥ if i ∈ Rt . Otherwise, to sign M ∈ {0, 1}∗ , generate a one-time key pair (SK, VK) ← G(λ). Parse certi and seci as hvi i, {Dxj , σxj }`j=0 , X and x ∈ Zp , respectively. Then, Ui conducts the following steps. 1. Using RLt , determine the sub-tree Sl with l ∈ {1, . . . , m}, that contains the leaf vi (this subset must exist since i 6∈ Rt ) and let ul be the root of Sl . Since ul is an ancestor of vi , the signer Ui necessarily knows and IBE private key of the form Dul = (Dul ,1 , Dul ,2 ) =

ID(ul )

h0

· h1

ru

l

, g rul .

(15)

ID(u ) 2. To prove that he holds a valid IBE private key for Cl = h0 l · h1 , Ui first generates a commitment comCl to Cl . Then, he re-randomizes the corresponding signature Θl = (Θl,1 , . . . , Θl,7 ) to (1) 0 }7 0 }i∈{1,2,5} to the resultobtain {Θl,i i=1 ← ReRand(pkAHO , Θl ) and computes commitments {comΘl,i 0 ing {Θl,i }i∈{1,2,5} . Finally, he generates a proof πCl that Cl is a certified HIBE ciphertext for epoch t: i.e., πCl provides evidence that (1)

(1)

(1) 0 0 0 −1 0 ) · e(G2 , g t )−1 = e(G(1) , Θl,4 A(1) · e(Θl,3 z , Θl,1 ) · e(Gr , Θl,2 ) · e(G1 , Cl ),

(16)

(1)

(1)

0 0 0 −1 0 ) · e(H1 , Cl ), ) · e(Hr(1) , Θl,5 ) · e(H2 , g t )−1 = e(Hz(1) , Θl,1 , Θl,7 B (1) · e(Θl,6

Then, Ui generates commitments comDul ,1 and comDul ,2 to Dul ,1 and Dul ,2 . Then, he generates a 0 } proof πDul that e(Dul ,1 , g) = e(Cl , Dul ,2 ). Since {Θl,i i∈{3,4,6,7} are constants, the two relations of (16) are linear equations and πCl costs 6 elements while πDul takes 9 elements. 3. Let σul = (θul ,1 , . . . , θul ,7 ) ∈ G7 be the structure-preserving signature on (X, Dul ,2 ). Re-randomize (0) σul to obtain {θu0 l ,i }7i=1 ← ReRand(pkAHO , σul ). Then, generate commitments {comθu0 ,i }i∈{1,2,5} to l

{θu0 l ,i }i∈{1,2,5} as well as a commitment comX to X. Finally, generate a proof πσul that committed variables {θu0 l ,i }i∈{1,2,5} , X and Dul ,2 satisfy the verification equations (0)

(0)

0 (0) 0 A(0) · e(θu0 l ,3 , θu0 l ,4 )−1 = e(G(0) z , θul ,1 ) · e(Gr , θul ,2 ) · e(G1 , X) · e(G2 , Dul ,2 ), (0)

(0)

B (0) · e(θu0 l ,6 , θu0 l ,7 )−1 = e(Hz(0) , θu0 l ,1 ) · e(Hr(0) , θu0 l ,5 ) · e(H1 , X) · e(H2 , Dul ,2 ). Since these equations are linear, πσul requires 6 group elements. R 4. Compute a tag-based encryption of X by drawing z1 , z2 ← Zp and setting

(Ψ1 , Ψ2 , Ψ3 , Ψ4 , Ψ5 ) = f1z1 , f2z2 , X · g z1 +z2 , (g VK · U )z1 , (g VK · V )z2 . 28

φX,1 φX,2 φX,3 5. Generate a NIZK proof that the commitment comX = (1, 1, X)· f~1 · f~2 · f~3 and (Ψ1 , Ψ2 , Ψ3 ) are BBS encryptions of the same value X. If we write f~3 = (f3,1 , f3,2 , f3,3 ), comX can be written as φ φ φ φ φ (f1 X,1 · f3,1X,3 , f2 X,2 · f3,2X,3 , X · g φX,1 +φX,2 · f3,3X,3 ) and, given that (Ψ1 , Ψ2 , Ψ3 ) = (f1z1 , f2z2 , X · g z1 +z2 ), we have τ3 τ3 τ3 (17) , g τ1 +τ2 · f3,3 , f2τ2 · f3,2 comX (Ψ1 , Ψ2 , Ψ3 )−1 = f1τ1 · f3,1

with τ1 = φX,1 − z1 , τ2 = φX,2 − z2 , τ3 = φX,3 . The signer Ui commits to the exponents {τi }3i=1 φτ ,2 φτ ,1 ~ = f~3 · (1, 1, g)), and (by computing comτj = ϕ ~ τj · f~1 j · f~2 j for j ∈ {1, 2, 3}, using the vector ϕ 3 generates proofs πeq-com,1 , πeq-com,2 and πeq-com,3 that {τi }i=1 satisfy the relations (17). Since (17) are linear equations, proofs {πeq-com,j }3j=1 cost 2 elements each. 6. Compute σVK = g 1/(x+VK) and generate a commitment comσVK to σVK . Then, generate a NIWI proof πσVK that committed variables σVK and X satisfy e(σVK , X · g VK ) = e(g, g)

(18)

Relation (18) is a quadratic pairing product equation and requires a proof consisting of 9 group elements. 7. Using SK, generate a one-time signature σots = S(SK, (M, RLt , Ψ1 , Ψ2 , Ψ3 , Ψ4 , Ψ5 , Ω, com, Π)) where 0 , θ0 } Ω = {Θl,i ul ,i i∈{3,4,6,7} and 0 }i∈{1,2,5} , {comθ 0 } , {comτj }3j=1 , comσVK com = comCl , {comDul ,j }2j=1 , comX , {comΘl,i u ,j j∈{1,2,5} l

Π = (πCl , πDul , πσul , πeq-com,1 , πeq-com,2 , πeq-com,3 , πσVK ). Return the signature σ = VK, Ψ1 , Ψ2 , Ψ3 , Ψ4 , Ψ5 , Ω, com, Π, σots .

(19)

Verify(σ, M, t, RLt , Y): parse σ as above and return 1 if and only if the following checks all succeed. 1. If V(VK, (M, RLt , Ψ1 , Ψ2 , Ψ3 , Ψ4 , Ψ5 , Ω, com, Π), σots ) = 0, return 0. 2. Return 0 if e(Ψ1 , g VK · U ) 6= e(f1 , Ψ4 ) or e(Ψ2 , g VK · V ) 6= e(f2 , Ψ5 ). 3. Return 1 if all proofs properly verify. Otherwise, return 0. Open(M, t, RLt , σ, SOA , Y, St): given SOA = (β1 , β2 ), parse the signature σ as in (19) and return ⊥ if ˜ = Ψ3 · Ψ −1/β1 · Ψ −1/β2 . Find a record Verify(σ, M, t, RLt , Y) = 0. Otherwise, compute X 1 2 hi, transcripti = (X, {Dxj , σxj }`j=0 , sigi )i ˜ If no such record exists in Sttrans , return ⊥. Otherwise, return i. such that X = X. The size of signatures is exactly the same as in the construction based on the SD method. Revocation lists have become longer: they now contain O(r · log(N/r)) group elements (as in Section 3, the representation of ID(ui ) is at least as short as that of a group element in RLt ) and they can be seen as ciphertexts in the public-key variant [34] of the CS method. On the other hand, we note that membership certificates now consist of O(log N ) group elements (vs O(log3 N ) in the SD method). The complexity of the verification algorithm does not depend on r or N . As for the signing algorithm, it first requires O(log log N ) combinatorial operations (see [51]) to determine which sub-tree the signer is a leaf of. However, the cost of these operations (which are only needed once per epoch) is small compared to that of public-key arithmetic operations. As we can see, the number of arithmetic operations is independent of r and N when it comes to generate or verify signatures. 29

E.1

Security

All security proofs go through essentially without changes. The proof of Theorem 4 relies on the keyrobustness of the Boneh-Boyen IBE [14], but this property is implied by Lemma 1: indeed, the first IBE scheme of [13] (in its single-level variant) can be seen as a single-level variant of the Boneh-Boyen-Goh HIBE. Theorem 4 (Misidentification). The scheme is secure against misidentification attacks assuming that the q-SFP problem is hard for q = max(` · qa , qr2 ), where qa and qr denote the maximal numbers of Qa-join queries and Qrevoke queries, respectively, and ` = log N . Proof. The proof is almost identical to that of Theorem 1. The only difference is that, in the treatment of Type II.a forgeries, the simulator B has to generate at most ` · qa AHO signatures overall (rather than `2 · qa in the proof of Theorem 1). t u Theorem 5 (Non-frameability). The scheme is secure against framing attacks assuming that: (i) the qb -SDH assumption holds in G, where qb is the maximal number of Qb-join -queries; (ii) Σ is a strongly unforgeable one-time signature. Proof. The proof is the same as the proof of Theorem 2.

t u

Theorem 6 (Anonymity). The advantage of any anonymity adversary is at most Advanon (A) ≤ Advots (λ) + 3 · AdvDLIN (λ). Proof. The proof is completely identical to the proof of Theorem 3.

30

t u